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Abstract 

Security-sensitive  applications  that  execute  untrusted  code  often 
check  the  code’s  integrity  by  comparing  its  syntax  to  a  known  good 
value  or  sandbox  the  code  to  contain  its  effects.  System  M  is  a  new 
program  logic  for  reasoning  about  such  security-sensitive  applica¬ 
tions.  System  M  extends  Hoare  Type  Theory  (HTT)  to  trace  safety 
properties  and.  additionally,  contains  two  new  reasoning  principles. 
First,  its  type  system  internalizes  logical  equality,  facilitating  rea¬ 
soning  about  applications  that  check  code  integrity.  Second,  a  con¬ 
finement  rule  assigns  an  effect  type  to  a  computation  based  solely 
on  knowledge  of  the  computation’s  sandbox.  We  prove  the  sound¬ 
ness  of  System  M  relative  to  a  step-indexed  trace-based  semantic 
model.  We  illustrate  both  new  reasoning  principles  of  System  M 
by  verifying  the  main  integrity  property  of  the  design  of  Memoir, 
a  previously  proposed  trusted  computing  system  for  ensuring  state 
continuity  of  isolated  security-sensitive  applications. 

Keywords  Program  logic,  traces,  adversarial  code,  security 

1.  Introduction 

Software  systems,  such  as  Web  browsers,  smartphone  platforms, 
and  extensible  operating  systems  and  hypervisors,  are  designed  to 
provide  subtle  security  properties  in  the  presence  of  adversaries 
who  can  supply  code,  which  is  then  executed  with  the  privileges  of 
the  trusted  system.  For  example,  webpages  routinely  execute  third- 
party  JavaScript  with  full  access  to  their  content;  smartphones  ex¬ 
ecute  apps  from  open  app  stores,  often  with  very  lax  sandboxes; 
operating  system  kernels  include  untrusted  (and  often  buggy)  de¬ 
vice  drivers;  and  trusted  computing  platforms  load  programs  from 
disk  and  only  later  verify  loaded  programs  using  the  Trusted  Plat¬ 
form  Module  (TPM)  [32].  Despite  executing  potentially  adversar¬ 


ial  code,  all  these  systems  have  security-related  goals,  often  safety 
properties  over  traces  [18].  For  example,  a  hypervisor  must  ensure 
that  an  untrusted  guest  operating  system  running  on  top  of  it  can¬ 
not  modify  the  hypervisor’s  page  table,  a  webpage  must  ensure  that 
an  embedded  untrusted  advertisement  cannot  access  a  user’s  pass¬ 
word,  and  trusted  computing  mechanisms  must  enable  a  remote 
party  to  check  that  an  expected  software  stack  was  loaded  in  the 
expected  order  on  an  untrusted  server. 

Secure  execution  of  untrusted  code  in  trusted  contexts  rely  on 
two  common  mechanisms.  First,  untrusted  code  is  often  run  inside 
a  sandbox  that  confines  its  interaction  with  key  system  resources  to 
a  restricted  set  of  interfaces.  This  practice  is  seen  in  Web  browsers, 
hypervisors,  and  other  security-critical  systems.  Second,  code  iden¬ 
tification  mechanisms  are  used  to  infer  that  an  untrusted  piece  of 
code  is  in  fact  syntactically  equal  to  a  known  piece  of  code.  These 
mechanisms  include  distribution  of  signed  code,  and  trusted  com¬ 
puting  mechanisms  [32]  that  leverage  hardware  support  to  enable 
remote  parties  to  check  the  identity  of  code  on  an  untrusted  com¬ 
puter.  Motivated  by  these  systems,  we  present  a  program  logic, 
called  System  M,  for  modeling  and  proving  safety  properties  of 
systems  that  securely  execute  adversary-supplied  code  via  sand¬ 
boxing  and  code  identification. 

System  M’s  design  is  inspired  by  Hoare  Type  Theory  (HTT)  [21- 
23].  Like  HTT,  a  monad  separates  computations  with  side-effects 
from  pure  expressions,  and  a  monadic  type  both  specifies  the  return 
type  of  a  computation  and  includes  a  postcondition  that  specifies 
the  computation’s  side-effects.  The  postcondition  of  a  computa¬ 
tion  type  in  System  M  uses  predicates  over  the  entire  trace  of  the 
computation.  This  is  motivated  by  our  desire  to  verify  safety  prop¬ 
erties  [18],  which  are,  by  definition,  predicates  on  traces.  Further, 
the  postcondition  contains  not  one  but  two  predicates  on  traces. 
One  predicate,  the  standard  partial  correctness  assertion,  holds  if 
the  computation  completes.  The  other,  called  the  invariant  asser¬ 
tion,  holds  at  all  intermediate  points  of  the  computation,  even  if 
the  computation  is  stuck  or  divergent.  The  invariant  assertion  is 
directly  used  to  represent  safety  properties. 

To  this  basic  infrastructure,  we  add  two  novel  reasoning  prin¬ 
ciples  that  internalize  the  rationale  behind  commonly  used  mech¬ 
anisms  for  ensuring  secure  execution  of  adversary-supplied  code: 
code  identification  and  sandboxing.  These  rules  derive  effects  of 
untyped  code  potentially  provided  by  an  adversary  and,  hence,  en- 
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able  the  typing  derivation  of  the  trusted  code  to  include  as  sub¬ 
derivations,  the  reasoning  of  effects  of  the  adversarial  code. 

The  first  principle,  a  rule  called  Eq,  ascribes  the  type  of  a  pro¬ 
gram  to  another  program  e':  if  e  is  syntactically  equal  to  e!  and 
e  :  t,  then  e!  :  r.  This  rule  is  useful  for  typing  programs  read  from 
adversary-modifiable  memory  locations  when  separate  reasoning 
can  establish  that  the  value  stored  in  the  location  is,  in  fact,  syntacti¬ 
cally  equal  to  some  known  expression  with  a  known  type.  Depend¬ 
ing  on  the  application,  such  reasoning  may  be  based  in  a  dynamic 
check  (e.g.,  in  secure  boot  [27]  the  hash  of  a  textual  reification  of 
a  program  read  from  adversary-accessible  memory  is  compared  to 
the  corresponding  hash  of  a  known  program  before  executing  the 
read  program)  or  it  may  be  based  in  a  logical  proof  showing  the 
inability  of  the  adversary  to  write  the  location  in  question  (e.g., 
showing  that  guests  cannot  write  to  hypervisor  memory). 

Our  second  reasoning  principle,  manifest  in  a  rule  called  CON¬ 
FINE,  allows  us  to  type  partially  specified  adversary-supplied  code 
from  knowledge  of  the  sandbox  in  which  the  code  will  execute.  The 
intuition  behind  this  rule  is  that  if  all  side-effecting  interfaces  avail¬ 
able  to  a  computation  maintain  a  certain  invariant  on  the  shared 
state,  then  that  computation  cannot  violate  that  invariant,  irrespec¬ 
tive  of  its  actual  code.  The  CONFINE  rule  generalizes  prior  work  of 
Garg  et  al.  on  reasoning  about  interface-confined  adversarial  code 
in  a  first-order  language  [14].  The  main  difference  from  Garg  et 
al.  [14]  is  that  in  this  paper  trusted  interfaces  can  receive  and  exe¬ 
cute  code,  in  addition  to  data,  from  the  adversary  and  other  trusted 
components.  Our  use  of  the  CONFINE  rule  stresses  our  view  that 
assumptions  made  about  adversarial  code  should  be  minimized.  In 
contrast,  a  lot  of  work,  e.g.,  proof-carrying  code  [25],  requires  that 
adversarial  code  be  checked  in  a  rich  type  system  prior  to  execu¬ 
tion,  which  eliminates  the  need  for  a  rule  like  CONFINE.  Section  3 
explains  intuitions  behind  these  two  principles  in  more  detail. 

We  show  soundness  of  System  M  relative  to  a  step-indexed 
model  [2]  built  over  syntactic  traces.  As  in  some  prior  work  [8- 
10,  14],  our  semantics  of  assertions  and  postconditions  account 
for  interleaving  actions  from  concurrently  executing  programs  in¬ 
cluding  adversarial  programs  and,  hence,  our  soundness  theorem 
implies  that  all  verified  properties  hold  in  the  presence  of  adver¬ 
saries,  which  is  a  variant  of  robust  safety,  proposed  by  Gordon  et 
al.  [15].  System  M  supports  compositional  proofs — security  proofs 
of  sequentially  composed  programs  are  built  from  proofs  of  their 
sub-programs.  System  M  also  admits  concurrent  composition — 
properties  proved  of  a  program  hold  when  that  program  executes 
concurrently  with  other,  even  adversarial,  programs. 

System  M  is  the  first  program  logic  that  allows  proofs  of  safety 
for  programs  that  execute  adversary-supplied  code  with  adequate 
precautions,  but  does  not  force  the  adversarial  code  to  be  com¬ 
pletely  available  for  typing.  Other  frameworks  like  Bhargavan  et 
aV s  contextual  theorems  [4]  for  F7  achieve  expressiveness  similar 
to  the  CONFINE  rule  for  a  slightly  limited  selection  of  trace  proper¬ 
ties.  (We  compare  to  related  work  in  Section  7.)  Our  step-indexed 
model  of  Hoare  types  is  also  novel;  although  our  exclusion  of  pre¬ 
conditions,  our  use  of  call-by-name  /3-reduction,  and  the  inclusion 
of  adversary-supplied  code  make  the  model  nonstandard. 

System  M  can  be  used  to  model  and  verify  protocols  as  well 
as  system  designs.  We  demonstrate  the  reasoning  principles  of 
System  M  by  verifying  the  state  continuity  property  of  the  design 
of  Memoir  [28],  a  previously  proposed  trusted  computing  system. 
For  reasons  of  space,  we  elide  proofs,  some  technical  details  and 
several  typing  rules  from  this  paper.  These  are  presented  in  the 
accompanying  technical  appendix. 

2.  Term  Language  and  Operational  Semantics 

We  summarize  System  M’s  term  syntax  in  Figure  1.  Pure  expres¬ 
sions,  denoted  e,  are  distinguished  from  effectful  computations. 
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C2  | 
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if  e  then.  C\  else  C2 

Figure  1.  Term  Syntax 


denoted  c.  An  expression  can  be  a  variable,  a  constant,  a  func¬ 
tion,  a  polymorphic  function,  a  function  application,  a  polymor¬ 
phic  function  instantiation,  or  a  suspended  computation.  Constants 
can  be  Booleans  (tt,  ff).  natural  numbers  (n  £  AT),  thread  iden¬ 
tifiers  (i  £  X),  and  memory  locations  (£  £  C).  We  use  •  as  the 
place  holder  for  the  type  in  a  polymorphic  function  instantiation. 
Suspended  computations  comp(c)  constitute  a  monad  with  return 
ret(e)  and  bind  lete(ei,  x.cf). 

System  M  is  parametrized  over  a  set  of  action  symbols  A,  which 
are  instantiated  with  concrete  actions  based  on  specific  application 
domains.  For  instance,  A  may  be  instantiated  with  memory  opera¬ 
tions  such  as  read  and  write.  An  action,  denoted  a,  is  the  applica¬ 
tion  of  an  action  symbol  A  to  expression  arguments. 

A  basic  computation  is  either  an  atomic  action  (act(a))  or 
ret(e)  that  returns  the  pure  expression  e  immediately,  fi x  f(x).c 
is  a  fixpoint  operator.  /,  which  represents  a  suspended  fixpoint 
computation,  may  appear  free  in  the  body  c.  Computation  (c  e) 
is  the  application  of  a  fixpoint  computation  to  its  argument. 
letc(ci,  X.C2)  denotes  the  sequential  composition  of  ci  and  C2, 
while  lete(ei, X.C2)  is  the  sequential  composition  of  the  sus¬ 
pended  computation  to  which  ei  reduces  and  C2.  In  both  cases, 
the  expression  returned  by  the  first  computation  is  bound  to  x, 
which  may  occur  free  in  C2.  We  sometimes  use  the  alternate  syntax 
x  <—  ci ;  C2  and  let  x  =  ei;  C2.  When  the  expression  returned  by 
the  first  computation  is  not  used  C2,  we  write  ci;  C2  and  ei;  C2. 

The  operational  semantics  of  System  M  are  small-step  and 
based  on  interleaving  of  concurrent  threads. 

Stack  K  ::=  []  |  x.c  ::  K 

Thread  T  ::=  (i\K;c)  |  (t;A';e)  |  (r;  stuck) 

Configuration  C  : :  =  a  t>  T\ , . . . ,  Tn 

A  thread  T  is  a  unit  of  sequential  execution.  A  non-stuck  thread 
is  a  triple  (t;  A';  c)  or  (t;  A';  e),  where  l  is  a  unique  identifier  of 
that  thread  (drawn  from  a  set  X  of  such  identifiers),  K  is  the 
execution  (continuation)  stack,  and  c  and  e  are  the  computation  and 
expression  currently  being  evaluated.  A  thread  permanently  enters 
a  stuck  state,  denoted  (1 ;  stuck),  after  performing  an  illegal  action, 
such  as  accessing  an  unallocated  memory  location.  An  execution 
stack  is  a  list  of  frames  of  the  form  x.c  recording  the  return  points 
of  sequencing  statements  in  the  enclosing  context.  In  a  frame  x.c, 
x  binds  the  return  expression  of  the  computation  preceding  c.  A 
configuration  of  the  system  is  a  shared  state  a  and  a  set  of  all 
threads.  a  is  application-specific;  for  the  rest  of  this  paper,  we 
assume  that  it  is  a  standard  heap  mapping  pointers  to  expressions, 
but  this  choice  is  not  essential.  For  example,  in  modeling  network 
protocols,  the  heap  could  be  replaced  by  the  set  of  undelivered 
(pending)  messages  on  the  network. 

For  pure  expressions,  we  use  call-by-name  /3-reduction  — >p. 
This  choice  simplifies  the  operational  semantics  and  the  soundness 
proofs,  as  explained  in  Sections  6.  We  elide  the  standard  rules  for 
— >p.  The  small-step  transitions  for  threads  and  system  configura¬ 
tions  are  shown  in  Figure  2.  The  relation  o  >  T  <—}  a  t>  T1  defines 
a  small-step  transition  of  a  single  thread.  C  —>  C'  denotes  a  small- 
step  transition  for  configuration  C;  it  results  from  the  reduction  of 
any  single  thread  in  C. 


2 


2014/7/22 


a  >  T  «— >•  o'  o  T' 


next(cr,  a)  =  ( o'  ,e )  e  ^  stuck 

a  >  (t;  x.c  ::  A';  act(a))  <->•  o'  >  (t;  A;  c[e/x]) 


R-ActS 


next(a,  a)  =  (unstuck) 
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- - — - - - -r  R-Stuck 

0  >  (<,;  stuck)  4  a  t>  (t;  stuck) 

a  >  (1;  x.c  ::  A';  ret(e))  a  >  (t;  A';  c[e/x]) 

e  — >■£  e 

- - - - - - - - - 7-  R-SEQE2 

cr  >  (t;A;e)  M-0  trt>  (t;A;e  ) 

cr  >  («,;  X.C2  ::  A';  comp(ci))  cr  >  (t;  X.C2  ::  A';  Ci) 

cr  >  (t;  A';  (f  ix/(x).c)  e) 
a  >  (t;  A';  c[Az.comp(f  ix(f(x).c)  z)/f][e/x\) 


R-ActF 


R-Ret 


R-SEQE3 


R-FIX 


Figure  2.  Selected  small-step  reduction  semantics  of  configura¬ 
tions 


The  rules  for  o  t>  T  ^  o'  >  T'  are  mostly  straightforward. 
The  rules  for  evaluating  an  atomic  action  (R-ActS  and  R-ActF) 
rely  on  a  function  next  that  takes  the  current  store  o  and  an  action 
a,  and  returns  a  new  store  and  an  expression,  which  are  the  result 
of  the  action.  If  the  action  is  illegal,  then  next(cr,  a)  =  (o' ,  stuck). 
If  the  action  returns  a  non-stuck  expression  e  (rule  R-ActS),  then 
the  top  frame  (x.c)  is  popped  off  the  stack,  and  c[e/x\  becomes  the 
current  computation  of  the  thread.  If  next  returns  stuck  (rule  R- 
ActF),  then  the  thread  enters  the  stuck  state  and  permanently  re¬ 
mains  there.  When  a  sequencing  statement  lete(ei ,  X.C2)  is  evalu¬ 
ated,  the  frame  X.C2  is  pushed  onto  the  stack,  and  ei  is  first  reduced 
to  a  suspended  computation  comp(ci);  then  ci  is  evaluated.  When 
a  fixpoint  (f  i xf(x).c);  e  is  evaluated,  /  is  substituted  with  a  func¬ 
tion  whose  body  is  a  suspension  of  f  i xf(x).c. 

Any  finite  execution  of  a  configuration  results  in  a  trace  T, 
defined  as  a  finite  sequence  of  reductions.  With  each  reduction  we 
associate  a  time  point  u,  also  called  a  (logical)  time  point.  These 
time  points  on  the  trace  are  monotonically  increasing.  A  trace 
annotated  with  time  is  written  —4  Co  —4  Ci  . . .  -^4  Cn,  where 
Ui  <  Ui+ 1 .  We  follow  the  convention  that  the  reduction  from  Ci  to 
Ci+ 1  happens  at  time  1  and  that  its  effects  occur  immediately. 
Thus  the  state  at  time  u i  is  the  state  in  Ci. 

3.  Motivating  Application 

We  briefly  review  Memoir  [28],  our  main  application,  and  highlight 
the  challenges  in  analyzing  Memoir  to  motivate  the  novel  typing 
rules  for  deriving  properties  of  adverary-supplied  code  using  code 
identification  and  sandboxing. 

3.1  Overview  of  Memoir 

Memoir  provides  state-integrity  guarantees  for  stateful  security- 
sensitive  services  invoked  by  potentially  malicious  parties.  Such 
services  often  rely  on  untrusted  storage  to  store  their  persistent 
state.  An  example  of  such  a  service  is  a  password  manager  that  re¬ 
sponds  with  a  stored  password  when  it  receives  a  request  containing 
a  URL  and  a  username.  The  service  would  want  to  ensure  secrecy 
and  integrity  of  its  state;  in  this  case,  the  set  of  stored  passwords. 
Simply  encrypting  and  signing  the  service's  state  cannot  prevent 
the  attacker  from  invoking  the  service  with  a  valid  but  old  state,  and 


1  runmodule(srvc,  snap,  req,  Nloc)  = 

2 

3  (skey,  freshness -tag)  <—  act (NVRAMread  Nloc); 

4  servicestate  «—  check -decrypt  snap  shot  (snap); 

5 

6  (state1 ,  resp) 

«—  (srvc  ExtendPCR  ResetPCR  ■  ■  ■)  (state,  req); 

7 


Figure  3.  Snippet  of  invokation  code 


consequently  mounting  service  rollback  attacks.  For  the  password 
manager  service,  this  attack  could  cause  the  service  to  respond  with 
old  (possibly  compromised)  passwords.  Memoir  solves  this  prob¬ 
lem  by  using  the  TPM  to  provide  state  integrity  guarantees.  Memoir 
relies  on  the  following  TPM  features: 

•  Platform  configuration  registers  (PCRs)  contain  20-byte  hashes 
known  as  measurements  that  summarize  the  current  configura¬ 
tion  of  the  system.  The  value  they  contain  can  only  be  updated 
in  two  ways:  (1)  a  reset  operation  which  sets  the  value  of  the 
PCR  to  a  fixed  default  value;  (2)  an  extend  operation  which 
takes  as  argument  a  value  v  and  updates  the  value  of  the  PCR 
to  the  hash  of  the  concatenation  of  its  current  value  with  v. 

•  Late  launch  is  a  command  that  can  be  used  to  securely  load 
a  program.  It  extends  the  hash  of  the  textual  reification  of  the 
program  into  a  special  PCR  (PCR17).  Combined  with  the  guar¬ 
antees  provided  by  a  PCR,  late  launch  provides  a  mechanism 
for  precise  code  identification. 

•  Non-volatile  RAM  (NVRAM)  provides  persistent  storage  that 
allows  access  control  based  on  PCR  measurements.  Specifi¬ 
cally,  permissions  on  NVRAM  locations  can  be  tied  to  a  PCR 
p  and  value  v  such  that  the  location  can  only  be  read  when  the 
value  contained  in  p  is  v. 

Memoir  has  two  phases:  service  initialization  and  service  in¬ 
vokation.  During  initialization,  the  Memoir  module  is  assigned  an 
NVRAM  block.  It  is  also  given  a  service  to  protect.  The  module 
generates  a  new  symmetric  key  that  is  used  throughout  the  lifetime 
of  the  service.  It  sets  the  permissions  on  accesses  to  the  NVRAM 
block  to  be  tied  to  the  hash  stored  in  PCR  17,  which  contains  the 
hash  of  the  code  for  Memoir  and  the  service.  To  prevent  rollback 
attacks,  it  uses  a  freshness  tag  which  is  a  chain  of  hashes  of  all 
the  requests  received  so  far.  The  secret  key  and  an  initial  freshness 
tag  are  stored  in  the  designated  NVRAM  location.  The  service  then 
runs  for  the  first  time  to  generate  an  initial  state,  which  along  with 
the  freshness  tag  is  encrypted  with  the  secret  key  and  stored  to  disk. 
This  encryption  of  the  service’s  state  along  with  the  freshness  tag 
is  called  a  snapshot. 

After  initialization,  a  service  can  be  invoked  by  providing  Mem¬ 
oir  with  an  NVRAM  block,  a  piece  of  service  code,  and  a  snap¬ 
shot.  In  Figure  3,  we  show  a  snippet  of  the  Memoir  service  in¬ 
vokation  code.  Memoir  retrieves  the  key  and  freshness  tag  front 
the  NVRAM.  Memoir  then  decrypts  the  snapshot  and  verifies  that 
the  freshness  tag  in  the  provided  state  matches  the  one  stored  in 
NVRAM.  If  the  verification  succeeds.  Memoir  computes  a  new 
freshness  tag  and  updates  the  NVRAM.  Next,  it  executes  the  ser¬ 
vice  to  generate  a  new  state  and  a  response.  The  new  snapshot  cor¬ 
responding  to  the  new  state  and  freshness  tag  is  stored  to  disk. 

The  security  property  we  prove  about  Memoir  is  that  the  service 
can  only  be  invoked  on  the  state  generated  by  the  last  completed 
instance  of  the  service.  The  proof  of  security  for  Memoir  requires 
reasoning  about  the  effects  the  service,  which  is  provided  by  poten¬ 
tially  malicious  parties. 
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To  derive  properties  of  the  runmodule  code  shown  above  one 
needs  to  assign  a  type  to  srvc,  which  is  provided  by  an  adversary. 
The  service  srvc,  run  on  line  6,  is  a  function  that  contains  no 
free  actions.  However,  srvc  takes  as  arguments  interface  functions 
corresponding  to  every  atomic  action  in  our  model.  Shown  above 
are  ExtendPCR  and  ResetPCR  which  are  simply  wrappers  for 
the  corresponding  atomic  actions. 

For  example,  the  proof  requires  deriving  the  following  two 
invariant  properties  about  srvc: 

1.  It  does  not  change  the  value  of  the  PCR  to  a  state  that  allows 

the  adversary  to  later  read  the  NVRAM. 

2.  It  does  not  leak  the  secret  key. 

The  first  invariant  is  derived  using  the  fact  that  the  service  is 
confined  to  the  interface  exposed  by  the  TPM.  The  second  invariant 
is  derived  in  three  steps:  (i)  prove  that  srvc  is  syntactically  equal 
to  the  initial  service;  (ii)  assume  that  the  initial  service  does  not 
leak  the  secret  key;  and  (iii)  hence  infer  that  srvc  does  not  leak  the 
secret  key.  We  next  describe  System  M’s  typing  rules  that  enable 
such  reasoning. 

3.2  Typing  Adversary  Supplied  Code 

Reasoning  about  effects  of  confinement  In  analyzing  programs 
that  execute  adversary-supplied  code,  one  often  encounters  a  par¬ 
tially  trusted  program,  whose  code  is  unknown,  but  which  is  known 
or  assumed  to  be  confined  to  the  use  of  a  specific  set  of  interfaces 
to  perform  actions  on  shared  state.  In  our  Memoir  example,  every 
program  on  the  machine  is  confined  to  the  interface  provided  by 
the  TPM.  Using  just  this  confinement  information,  we  can  some¬ 
times  deduce  a  useful  effect-type  for  the  partially  trusted  program. 
Suppose  c  is  a  closed  computation,  which  syntactically  does  not 
contain  any  actions  and  can  invoke  as  subprocedures  the  compu¬ 
tations  Ci, . . .  ,cn  only  (i.e.,  c  is  confined  to  ci, . . . , cn).  If  all  ac¬ 
tions  performed  by  ci , . . . ,  c„  satisfy  a  predicate  p,  then  the  actions 
performed  by  c  must  also  satisfy  p,  irrespective  of  the  code  of  c. 
Hence,  we  can  statically  specify  the  effects  of  c,  without  knowing 
its  code,  but  knowing  the  effects  of  ci, . . . ,  c„. 

We  formalize  this  intuition  in  a  typing  rule  called  CONFINE.  To 
explain  this  rule,  we  introduce  some  notation.  Let  r  denote  types 
in  System  M  that  include  postconditions  for  computations  and, 
specifically,  let  cmp(r,  p)  denote  the  monadic  type  of  computations 
that  return  a  value  of  type  r  and  whose  actions  satisfy  the  predicate 
:p.  (The  notation  cmp(Y,  p)  is  simpler  than  our  actual  computation 
types,  but  it  suffices  for  the  explanation  here.) 

As  an  illustration  of  our  CONFINE  rule,  consider  any  closed  ex¬ 
pression  e.  Assume  that  e  does  not  contain  any  primitive  actions. 
Then,  we  claim  that  for  any  p,  e  has  the  type  cmp(bool,(^)  — > 
cmp(bool,  p).  To  understand  this  claim,  assume  that  p  is  the  prop¬ 
erty  “the  action  is  not  a  write  to  memory”.  To  show  that  e  : 
cmp(bool,ip)  — >  cmp(bool,  p),  we  must  show  that  for  any  v  : 
cmp(bool,  ip),  e  v  :  cmp(bool,  p).  Hence,  we  must  show  that  the 
actions  performed  by  the  computation,  say  c,  that  e  v  evaluates  to 
do  not  include  write.  This  can  be  argued  easily:  Because  e  is  closed 
and  does  not  contain  any  actions,  the  only  way  this  computation 
c  could  write  is  by  invoking  the  computation  v.  However,  because 
v  :  cmp(bool,  ip),  v  does  not  write.  Hence,  ev  :  cmp(bool,  p). 

In  fact,  we  can  assign  e  any  type,  including  higher-order  func¬ 
tion  types,  as  long  as  the  effects  in  that  type  are  p.  Let  the  predicate 
confine  (r)  (p)  mean  that  p  =  p'  for  all  nested  types  of  the  form 
comp(r,;  p')  in  r.  Let  confine  (T)  (p)  mean  that  every  type  r  that 
T  maps  to  satisfies  confine  (r)  (p).  Let  fa(e)  =  0  mean  that  e 
syntactically  does  not  contain  any  actions.  Then,  the  idea  of  typ¬ 
ing  through  confinement  is  captured  by  the  following  rule.  The  rule 
says  that  for  any  e  without  any  actions,  if  r’s  nested  effects  are  p, 
and  the  types  of  the  free  variables  in  e  also  only  have  p  as  effects, 
then  e  :  r  with  any  predicate  p.  (Our  actual  typing  rule,  shown  in 


Section  4. 1  after  more  notation  has  been  introduced,  is  more  com¬ 
plex.  The  actual  rule  also  admits  predicates  over  traces,  which  are 
more  general  than  predicates  over  individual  actions  that  we  have 
considered  here.) 

fa(e)  =  0  fv(e)  €  T 

confine  (r)  (p)  confine  (T)  (p) 

- : -  Confine 

T  h  e  :  t 


In  our  Memoir  example,  we  use  the  CONFINE  rule  to  derive  the 
invariants  of  the  service  invoked  by  the  attacker.  For  instance,  if  we 
can  show  that  each  of  the  TPM  primitives  do  not  reset  the  value 
of  the  PCR,  then  using  the  CONFINE  rule,  we  can  claim  that  srvc, 
when  applied  to  these  primitives  does  not  reset  the  value  of  the 
PCR.  We  revisit  this  proof  with  specific  details  in  Section  4.2. 

In  typing  a  statically  unknown  expression  using  the  CONFINE 
rule  we  assume  that  the  expression  is  syntactically  free  of  ac¬ 
tions  and  that  all  of  its  free  variables  are  in  T.  These  are  reason¬ 
able  assumptions  for  untrusted  code  to  be  sandboxed.  In  an  imple¬ 
mentation  these  assumptions  can  be  discharged  either  by  dynamic 
checks  during  execution,  by  static  checks  during  program  linking, 
or  by  hardware-enforced  interface  confinement.  For  example,  in 
our  Memoir  analysis,  the  hardware  ensures  that  TPM  state  can  be 
modified  by  the  service  only  using  the  TPM  interface. 


Deriving  properties  based  on  code  integrity  Next  we  need  to 
show  that  srvc  does  not  leak  its  secret  key.  We  assume  this  prop¬ 
erty  about  the  initial  service  Memoir  was  invoked  with.  (This  prop¬ 
erty  could  be  verified  either  by  manual  audits  or  automated  static 
analysis  of  the  service  code).  However,  in  our  model  the  adversary 
could  invoke  Memoir  on  malicious  service  code  (e.g.,  replacing  a 
legitimate  password  manager  service  with  code  of  the  adversary’s 
choice).  In  this  case,  we  can  show  with  additional  reasoning  that 
srvc  invoked  later  must  be  the  same  program  as  the  intial  service. 
To  allow  typing  srvc,  based  on  the  proof  of  equality  with  the  initial 
service  and  an  assumed  type  for  the  initial  service,  we  add  a  new 


rule  called  Eq. 


The:r  The  =  e  true 
The  :r 


The  Eq  rule  assigns  the  type  r  of  any  expression  e  to  any  other 
expression  e! ,  which  is  known  to  be  syntactically  equal  to  e.  This 
rule  is  trivially  sound. 

This  pattern  of  first  establishing  code  identity  (identify  an  un¬ 
known  code  with  some  known  code)  and  then  using  it  to  refine 
types  is  quite  common  in  proofs  of  security-relevant  properties.  A 
similar  pattern  arises  in  analysis  of  systems  that  rely  on  memory 
protections  to  ensure  that  code  read  from  the  shared  memory  is  the 
same  as  a  piece  of  trusted  code,  and  therefore,  safe  to  execute.  In 
Datta  et  al.’s  work  on  analysis  of  remote  attestation  protocols  [10], 
similar  patterns  arise  for  typing  potentially  modified  software  exe¬ 
cuted  in  a  machine’s  boot  sequence.  Their  model  is  untyped,  but  if 
it  were  to  be  typed,  Eq  could  be  used  to  complete  the  proofs. 


4.  Type  System  and  Assertion  Logic 

The  syntax  for  System  M  types  is  shown  in  Figure  4.  Types  for 
expressions,  denoted  r,  include  type  variables  (A),  a  base  type 
b,  dependent  function  types  (lix'.Ti.rf),  and  polymorphic  function 
types  (VA.r).  Since  System  M  focuses  on  deriving  trace  properties 
of  programs,  the  difference  between  base  types  such  as  unit  and 
bool  is  of  little  significance.  Therefore,  System  M  has  one  base 
type  b  to  classify  all  first-order  terms.  The  type  any  contains  all 
syntactically  well-formed  expressions  (any  stands  for  “untyped”). 
Memory  always  stores  expressions  of  type  any  because  the  adver¬ 
sary  could  potentially  write  to  any  memory  location. 

Similar  to  HTT,  a  suspended  computation  comp(c)  is  assigned  a 
monadic  type  comply),  where  r/c  is  a  closed  computation  type.  A 
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Expr  types 

T  ::= 

X  |  b  |  IIa::Ti.T2  |  VX.r  |  comp(r;c)  any 

Comp  types 

v  ■■■= 

X'.T.p  |  p  |  ( X'.T.p ,  p') 

Closed  c  types 

Vc  ■■■= 

Ui.U2.i.(x:T.pi,  P2) 

Ilx:T.ui.U2.i.(y:T.pi,p2) 

Assertions 

p  ::= 

P  ei  =  e2  \p  e  T  ±  j  ->p 

1 

A  V?2  1  731  V  V?2  1  Vx-.T.p  I  3 X'.T.p 

Action  Kinds 

a  ::= 

Act(r/C)  |  II x'.r.a  \  MX.a 

Type  var  ctx 

0  ::= 

'  1  ©!  X 

Signatures 

E  ::= 

■  |  S,  A  ::  a 

Logic  var  ctx 

FL  ::= 

■  r^,  x  :  b  |  YL,  x  :  any 

Typing  ctx 

T  ::= 

■  1 T ,x: r 

Formula  ctx 

A  ::= 

■  1  A,  p 

Exec  ctx 

3  ::= 

Ub  :  b,  we  :  b,  i  :  b 

Figure  4. 

Types  and  typing  contexts 

closed  computation  type  ui.U2-i.(x:T.pi,  P2)  contains  two  post¬ 
conditions,  ifii  and  ifi2-  Both  are  interpreted  relative  to  a  trace  T. 
pi,  the  partial  correctness  assertion,  holds  whenever  a  computa¬ 
tion  of  this  type  finishes  execution  on  the  trace.  It  is  parametrized 
by  the  id  i  of  the  thread  that  runs  the  computation,  the  interval 
(ub,  We]  during  which  the  computation  runs  and  the  return  value  x 
of  the  computation,  ip 2,  called  the  invariant  assertion,  holds  while  a 
computation  of  the  computation  type  is  still  executing  (or  is  stuck), 
but  has  not  returned.  It  is  parametrized  by  the  id  i  of  the  thread 
running  the  computation  and  the  time  interval  ( Ub ,  we]  over  which 
the  computation  has  executed.  Formally,  a  suspended  computation 
comp(c)  has  type  comp(ui.U2-i.(x:r.pi,  pf))  if  the  following  two 
properties  hold  for  every  trace  T:  (1)  if  a  thread  1  on  trace  T  begins 
to  run  c  at  time  Ui  and  at  time  U2,  c  returns  an  expression  e,  then 
e  has  type  r,  and  T  satisfies  pi\Ui,  U2,  t,  e/wi,  W2,  i,  x\,  (2),  if  a 
thread  1  on  trace  T  begins  to  run  c  at  time  JJ\  and  at  time  U2,  c  has 
not  finished,  then  T  satisfies  p2[U\,  U2,  t/wi,  W2,  *]•  The  meaning 
of  all  types  is  made  precise  in  Section  5.2. 

The  type  rj  may  be  either  a  partial  correctness  assertion, 
an  invariant  assertion,  or  a  pair  of  both.  Fixpoint  computations 
have  the  type  Ylx:T.u\.U2-i.{y.T.pi,p2),  discussed  in  more  de¬ 
tail  with  typing  rules.  If  /  has  this  type,  then  for  any  e  :  r, 
(/  e)  is  a  recursive  computation  of  closed  computation  type 
ui.U2.i.(y:T.p1,p2)[e/x}. 

Assertions,  denoted  p,  are  standard  first-order  logical  formulas 
interpreted  over  traces.  Atomic  assertions  are  denoted  P. 

We  write  a  to  categorize  actions.  A  fully  applied  action  has  the 
type  Act(r]c),  where  r/c  denotes  the  action’s  effects. 


4.1  Typing  Rules 


Our  typing  judgments  use  several  contexts.  0  is  a  list  of  type 
variables.  The  signature  E  contains  specifications  for  action  sym¬ 
bols.  VL  contains  logical  variable  type  bindings.  These  variables 
can  only  be  of  the  type  b  or  any.  F  contains  dependent  variable 
type  bindings.  A  contains  logical  assertions.  The  ordered  context 
3  =  Ub,ue,i  provides  reference  time  points  and  a  thread  id  to 
typing  judgments  for  computations.  When  typing  a  computation, 
(ub,  we]  are  parameters  representing  the  interval  during  which  the 
computation  executes  and  i  is  a  parameter  representing  the  id  of 
the  thread  that  executes  the  computation.  A  summary  of  the  typing 
judgments  is  shown  below. 


w:b;  0;  E;  T1";  T;  A  \-q  e  :  r 
w:b;  0;  E;  YL;  F;  A  \~q  c  :  r]c 
2;  0;  S;  F^;  T;  A  |-q  c  :  77 
3;  0;  E;  F^;  T;  A  b  p  silent 

0;  E;  r1";  T;  A  b  p  true 


expression  e  has  type  r 
fixed-point  computation  c  has  type  r]c 
computation  c  has  type  77 
p  holds  while  reductions  are 
non-effectful 
p  is  true 


When  typing  expressions  and  fixpoint  computations,  w  is  earli¬ 
est  time  point  when  the  term  can  be  evaluated  on  the  trace.  The  first 
three  judgments  are  indexed  by  a  qualifier  Q,  which  can  either  be 
empty  or  Ub-Ue-i.p,  which  we  call  an  invariant.  Variables  Ub,  we, 
and  i  have  the  same  meaning  as  the  context  3,  and  may  appear  free 
in  p.  Rules  indexed  with  Ub-Ue-i.p  are  used  for  deriving  properties 
of  programs  that  execute  adversarial  code.  Roughly  speaking,  the 
context  T  in  these  rules  contains  variables  that  are  place  holders 
for  expressions  that  satisfy  the  invariant  p.  We  explain  here  some 
selected  rules  of  our  type  system;  the  remaining  rules  are  listed  in 
the  accompanying  technical  appendix. 

Silent  threads  Reductions  on  a  trace  can  be  categorized  into  those 
induced  by  the  rules  R-ActS  and  R-ActF  in  Figure  2  and  those 
induced  by  other  rules.  We  call  the  former  effectful  and  the  latter 
non-effectful  or  silent.  The  typing  judgment  3;  0;  E;  T1";  T;  A  b 
p  silent  specifies  properties  of  threads  while  they  perform  only 
silent  reductions  or  do  not  reduce  at  all.  The  judgment  is  auxiliary 
in  proofs  of  both  partial  correctness  and  invariant  assertions,  as  will 
become  clear  soon.  The  following  rule  states  that  if  p  is  true,  then 
a  trace  containing  a  thread’s  silent  computation  satisfies  p. 

3;  0;  E;  TL;  T;  A  b  p  true 

H^S^I^Abvsok 

- T -  Silent 

3;  0;  E;  T,  T;Abi(3  silent 

The  type  system  may  be  extended  with  other  sound  rules  for 
this  judgment.  For  instance,  the  following  is  a  trivially  sound  rule: 
Ub-Ue.i;  0;  E;  rL;  T;  A  b  (VI,  t,  Ub<t  <  we  =f-  -Head  i  1 1)  silent. 
If  a  thread  i  is  not  performing  any  action  during  time  interval 
( Ub ,  we].  then  it  does  not  read  memory  during  that  time  interval. 

Partial  correctness  typing  for  computations  Figure  5  shows  se¬ 
lected  rules  for  establishing  partial  correctness  postconditions  of 
computations.  The  judgment  wi,  W2,  i\  0;  S;  rL ;  F;  A  b  c  :  X'.T.p 
means  that  if  in  trace  T  any  thread  with  id  l  begins  to  execute  com¬ 
putation  c  at  time  Ui,  and  at  time  C/2,  c  returns  an  expression  e, 
and  T  satisfies  all  the  formulas  in  A,  then  e  has  type  t,  and  T  also 
satisfies  p[U\,  C/2,  t,  e/wi,  W2,  i,  x]. 

In  rule  ACT,  the  type  of  an  atomic  action  is  directly  derived  front 
the  specification  of  the  action  symbol  in  a.  We  elide  rules  for  the 
judgment  a  ::  Act(ui.U2-i.(x:r.pi,  pf)),  which  derives  types  for 
actions  based  on  the  specifications  in  E.  We  explain  the  invariant 
assertions  for  actions  with  the  discussion  of  invariant  typing  for 
computations.  When  typing  a,  the  logical  variable  typing  context 
includes  W2  :  b  and  i  :  b.  because  they  may  appear  free  in  Y  and  A. 
For  brevity,  we  elide  the  types  for  variables  of  type  b,  as  they  are 
obvious  from  the  context. 

Rule  Ret  assigns  e’s  type  to  ret(e).  The  trace  T  containing 
the  evaluation  of  ret(e)  satisfies  two  properties,  which  appear  in 
the  postcondition  of  ret(e).  First,  the  return  expression,  which 
is  bound  to  x,  is  e  (assertion  (x  =  e)).  Second,  T  satisfies  any 
property  p  such  that  p  silent  holds.  This  is  because  reduction  of 
ret(e)  is  silent.  Here  e  is  typed  under  the  time  point  W2,  indicating 
that  e  can  only  be  evaluated  after  W2. 

Rule  SeqC  types  the  sequential  composition  letc(ci, X.C2). 
Starting  at  time  point  wo  and  returning  at  W3,  the  execution  of 
letc(ci,  X.C2)  in  any  thread  i  can  be  divided  into  three  segments 
for  some  ui,U2'.  between  time  wo  and  wi,  where  thread  i  takes 
only  a  silent  step,  pushing  X.C2  onto  the  stack;  between  time  wi  and 
W2,  where  the  computation  ci  runs;  and  between  time  W2  and  W3, 
where  C2  runs.  The  first  three  premises  of  SeqC  assert  the  effects  of 
each  these  three  segments.  When  type  checking  C2,  the  facts  learned 
from  the  execution  so  far  (po  and  pi)  are  included  in  the  context. 
The  fourth  premise  checks  that  p  is  the  logical  consequence  of  the 
conjunction  of  the  three  evaluation  segments’  properties. 
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Partial  correctness  typing 

Mi;  0;  E;  rL,  M2,  i;  T;  A  Fq  a  ::  kct(ub-Ue.j.{x:T.pi,  P2)) 
Mi,  U2,  i;  0;  S;  rL;  F;  A  h  <£  silent 
fv(a)  €  dom(r)  let  7  =  [mi,  M2,  i/v,b,  ue,  j] 
d\  E;  FL;  F  b  ui.U2.i.(x:r.pi'y,  p2r)  A  p)  ok 
Mi,M2,i;  0;  E;  T^T;  A  I -q  act(a)  :  (x:T.p  17,  p2-y  A  p) 

M2;  0;  S;  rL,  mi,  i;  T;  A  bQ  e  :  r 

Mi,  M2,  i\  0;  S;  T17;  T;  A  b  p  silent  f  v(e)  C  dom(r) 

Mi,  M2,  i;  0;  E;  rL;  T;  A  I-q  ret(e)  :  x:r.((x  =  e)  A  p) 

Mo,  Mi,  i;  0;  E;  rL;  M3,  T;  A,  Mo  <  Mi  F  <po  silent 
Mi,M2,i;0;S;ri7,Mo  :  b,M3;T;  A,mi  <  M2,v?o 

I  Q  Cl  :  X-.T.p  1 

M2,M3,i;0;S;ri,Mo,Mi;r,x  :  r;  A,  M2  <  u3,po,Pi 
1 -Q  c2  :  t/:r'.v?2 

0;  E;  rL,  Mi,  M2,  Mo,  M3,  i;  T,  x:r,  y  :  r';  A 
I-  (<po  A  y>i  A  <£2)  =>  P  true 
0;  E;  rL,  Mo,  M3,  i;  Y,y  :  t'  bp  ok 
fv(letc(ci,  X.C2))  C  dom(r) 

- L - 7 -  Se 

mo,  M3,  i\  0;  E;  F  ;  T;  A  Fq  letc(ci,  2x2)  :  y.r  .p 


Mo,  Mi,  i;  0;  E;  rL,  M3;  •;  A,  Mo  <  Mi  F  <po  silent 
Mi,M2,i;0;S;rI',Mo  :  b,  m3;  •;  <^0,  Mi  <  u2 
I  q  ci  :  x:T.p  1 

m2,  m3,  i;  0;  E;  rL;  Mo,  Mi;  a;  :  r;  A,  m2  <  m3,  p0,Pi 
Fq  2  C2  :  y.T.p  2 

0;  E;  r17;  Mo,  M3,  i;  F,  Mi,  M2,  y  :  t  \  A 
F  (ipo  A  <pi  A  ^2)  =>  95  true 
0;  S;  r^7;  M0,  m3,  * ,  F,  y  :  t7  F  ok 

- L , -  SeqCComp 

Mo,  u3,  i;  0;  S;  V  ;  F;  A  Fq2  (ci;c2)  :  y.r  .p 

Invariant  typing 

0;  E;  rL,  Mo,  M3,  i;  T;  A  F  p  ok 
Mo,  Mi,  i;  0;  E;  YL ,  M3;  F;  A,  Mo  <  Mi  F  po  silent 
Mo,  M3, 7;  ©;  S;  T^7;  T;  A,  Mo  <  M3  F  p'0  silent 
Mi ,  m2 ,  ^;  ©;  S;  r^7 ,  m0  :  b,  m3;  T;  A,  Mi  <u2,p 0 
F q  ci  :  x-.T.p  1 

Mi,  m3,  *;  0;  E;  rL;  T;  A,  M0  :  b,  Mi  <  u3,p0  Fq  ci  :  p'i 
M2,M3,*;0;E;rI';r;  A,  Mo,  Mi,  a:  :  r,  M2  <  M3,  <^0,^1 
F  Q  C2  :  P2 

0;  E;  YL ,  Mo,  M3,  i;  T;  A  F  p'0  p  true 
0;  E;  VL ,uo,  M3,  *;  T,  Mi;  A  F  (p0  A  p[)  =>  p  true 
0;  E;  YL ,  Mo,  M3,  i;  T,  mi,M2,  x:t;  A 
F  (p0  A  pi  A  P2)  =>  p  true 
fv(letc(ci,x.C2))  C  dom(F) 

- £ -  SeqCI 

mo,  M3,  i;  0;  E;  T  ;  F;  A  Fq  letc(ci,  X.C2)  :  p 


Figure  5.  Selected  Rules  for  Computation  Typing 


The  above  rules  have  the  same  qualifier  Q  in  the  premises 
and  the  conclusion.  Rule  SeqCComp  combines  derivations  with 
different  qualifiers  in  a  sequencing  statement.  The  Y  context  in  the 
typing  of  ci  and  C2  must  be  empty.  Because  the  free  variables  in  ci 
are  place  holders  for  expressions  that  satisfy  an  invariant  pi,  while 
the  free  variables  in  C2  are  for  ones  that  satisfy  a  different  invariant 
P2,  Ci  and  C2  cannot  share  free  variables  except  those  in  TL.  Note 
that  both  Q  and  Q2  can  be  empty.  This  rule  is  necessary  for  typing 


the  sequential  composition  of  two  programs  that  contain  differently 
sandboxed  code:  ci  executes  sandboxed  code  that  satisfies  pi  and 
C2  either  contains  no  sandboxed  programs,  or  ones  that  satisfy  p2  ■ 

Invariant  typing  for  computations  The  meaning  of  the  invariant 
typing  judgment  mi,  M2,  i;  0;  E;  F17;  T;  A  h  c  :  p  is  the  following: 
Assuming  that  on  a  trace  T.  thread  1  begins  to  execute  c  at  time  U\ , 
and  at  time  U2  c  has  not  yet  returned  (this  includes  the  possibility 
that  c  is  looping  indefinitely  or  is  stuck),  if  T  satisfies  assumptions 
in  A,  then  T  also  satisfies  p[Ui,  U2,  t/ui,  M2,  i]. 

We  first  explain  the  invariant  assertions  for  actions  (rule  Act). 
The  thread  executing  the  atomic  action  is  silent  before  the  action 
returns.  Therefore,  the  invariant  assertion  of  the  action  is  the  con¬ 
junction  of  the  invariant  specified  in  E  and  the  effect  of  being  silent. 

Next,  we  explain  the  rule  SeqCI  for  the  sequencing  statement 
letc(ci,  x.C2).  We  need  to  consider  three  cases  when  deriving  the 
invariant  assertion  p  of  let c(ci,  X.C2)  in  the  interval  (mo,M3]:  (1) 
the  computation  has  not  started  until  M3  (2)  the  computation  ci 
started  but  has  not  returned  until  M3,  (3)  the  computation  ci  has 
returned,  but  C2  has  not  returned  until  M3.  The  first  five  premises 
of  rule  SeqCI  establish  properties  of  a  silent  thread,  the  partial 
correctness  and  invariant  assertions  of  the  computation  in  ci,  and 
the  invariant  assertion  of  C2.  The  next  three  judgments  check  that 
in  each  of  the  three  cases  ( 1) — (3),  the  final  assertion  p  holds. 

For  example,  comp(letc(act(read  e),  x.reta:))  can  be  as¬ 
signed  the  following  type.  Predicate  (mem  l  v  u)  is  true  when 
at  time  m,  memory  location  l  is  allocated  and  stores  the  expression 
v.  Predicate  eval  e  e'  is  true  if  e  /3-reduces  to  e',  which  cannot 
reduce  further.  Write  bleu  states  that  thread  1  writes  to  address 
l  expression  e  at  time  u.  The  partial  correctness  assertion  states 
that  this  suspended  computation  returns  what’s  stored  in  the  loca¬ 
tion  that  e  reduces  to.  The  invariant  assertion  states  that  during  its 
execution,  the  thread  executing  it  does  not  write  to  the  memory. 
comp(Mi,.Me.*.(r:any.V(,  v,  eval  el  A  mem  l  v  ue  =>  y  =  e, 

Vi,  m,  u,Ub  <  u  <  ue  =>  -iwrite  i  l  v  m)) 

Fixpoint  computation  The  fixpoint  is  typed  under  a  time  point  u, 
which  is  the  earliest  time  when  the  fixpoint  is  unrolled. 

F  j  =  y  \  r,  /  :  Uy.T.comp(ui.U3.i.(x:Ti.p,  p)) 

Mi,  M2,  i;  0;  S;  FL;  F;  A,  u  <  Mi  <  M2  F  ipo  silent 

M2,  M3,  i;  0;  E;  F^,  Mi,  m;  T,  Ti;  A,  M2  <  M3,  (po  Fq  c  :  x\Ti.p  1 

M2,  M3,  i;  0;  E;  FL;  Mi,  m;  r,  rx;  A,  M2  <  u3,po  Fq  c  :  P2 

0;  E;  Yl,ui,  m,  m2,  m3,  i;  T,  Ti,  a:  :  n;  A  h  (<^o  A  pi)  =$■  p  true 

0;  S;  T1",  Mi,  m2,  m3,  «,  m;  r,  Tig  A  F  {p0  A  p2  =>  p)  true 

e-,'E-YL,ui,u3,i,u-,Y,y  :  r;  Ah  v?o[m3/m2]  =>  p  true 

0;  E;  T17,  m;  T  h  IIy:T.Mi.M3.i.(a::Ti.v5,  p)  ok 

fv(f ix(/(t/).c))  £  dom(r) _ 

m;  0;  E;  F1";  T;  A  Fq  fix(/(t/).c)  :  Yly.T.ui.u3.i.{x:Ti.p,  p) 

Rule  Fix  simultaneously  establishes  the  partial  correctness  and 
invariant  assertions  of  a  fixpoint.  The  third  and  fourth  premises  es¬ 
tablish  the  partial  correctness  and  invariant  assertions  of  the  body 
c  of  the  fixpoint.  The  fifth  premise  checks  that  the  specified  par¬ 
tial  correctness  assertion  p  is  entailed  by  the  conjunction  of  the 
assertions  of  a  silent  thread  and  the  assertion  of  the  body.  The 
next  two  premises  check  the  invariant  assertion  p  .  For  example, 
fix  f(x). write  x  0;  read  x;  lete(/(x+l);  z. ret  z)  has  the  type: 
IIx:b.Mb.Me.*.(2/:any._L, 

Vm,  l,  V,Ub  <  M  <  Me  A  read  i  l  u 

=>  3m7,  v!  <  M  A  write  il  V  U1) 

Expression  typing  Similar  to  the  fixpoint,  the  expression  typing 
judgment  is  parameterized  over  a  time  point  m,  which  is  the  earliest 
time  point  that  e  is  evaluated.  Recall  that  the  typing  rule  for  ret(e) 
types  e  under  the  time  point  when  ret(e)  returns.  This  is  because  e 
can  only  be  evaluated  after  ret(e)  finishes.  Most  expression  typing 
rules  are  standard.  A  representative  subset  is  listed  in  Figure  6. 


Fix 
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Mi,M2,i;B;S;rL;we,r;  A,  «i  >  ue  \~q  c  :  (x:r.p  1,^2) 

0;  E;  FL,ue:b,  Ui'.b,  M2:b,  ?.:b;  F,  x  :  r;  A  b  cpi  =*-  true 
0;  E;  rL,  Me:b,  Mi:b,  M2:b,  ?.:b;  F;  A  h  P2  =>  <p'2  true 
0;  E;  rL,  tte:b;  T  h  ui.U2.i.(x:T.p[,  p'2)  ok 
fv(c)  C  dom(r) 

Me;  0;  E;  FL;  T;  A  Hq  comp(c)  :  comp(tti.M2.i.(x:r.v5,i,  p'2)) 
m;  0;  E;  T1";  F;  A  l-Q  e  :  r 

0;  E;  F17,  m;  F;  A  h  e  =  e*  true  fvfY)  ^  dom(r) 

^Tei^r^rYAh^  e':r  u' 

<75  is  trace  composable 
Mb,  tte,  i;  0;  E;  rL,  tt;  T;  A  h  p  silent 
Mi,:b,  Me:b,  i:b  h  tp  ok  fa(e)  =  0  fv(e)  C  T 

confine  (r)  ( Ub-Ue.i.p )  confine  (F)  (ub.ue.i.p) 

- x - Confine 

m;  0;  E;  F  ;  F;  A  \-Ub.ue.i.v  e  :  r 

m;  0;  E;  rL;  F;  A  h  e  :  r  up.b,  Me:b,  i: b  h  p  ok 

- x -  Conf-sub 

m;  0;  E;  r  ;  F;  A  I ~ub.ue.i.v  e  :  r 


Figure  6.  Selected  expression  typing  rules 


Rule  COMP  assigns  a  monadic  type  to  a  suspended  computation 
by  checking  the  computation.  Since  the  suspended  computation  can 
only  execute  after  ue,  the  logical  context  of  the  first  premise  can 
safely  assume  that  the  beginning  time  point  of  c  is  no  earlier  than 
Me.  As  usual,  the  rule  also  builds-in  weakening  of  postconditions. 

The  rule  Eq,  motivated  in  Section  3.1,  assigns  an  expression  e' , 
the  type  of  e,  if  e  is  syntactically  equal  to  e  . 

The  rule  CONFINE,  motivated  in  Section  3.1,  allows  us  to  type 
an  expression  from  the  knowledge  that  it  contains  no  actions  and 
that  its  free  variables  will  be  substituted  with  expressions  with 
effect  tp.  The  main  generalization  front  the  simpler  rule  presented 
in  Section  3.1  is  that  now  tp  is  a  predicate  over  an  interval  and  a 
thread  in  a  trace,  not  just  a  predicate  over  individual  actions.  The 
intuitive  idea  behind  the  rule  is  similar:  If  c  is  a  computation  that 
is  free  of  actions  and  confined  to  use  the  computations  ci, . . .  ,c„ 
for  interaction  with  the  shared  state,  and  each  of  the  computations 
ci, ...  ,c„  maintain  a  trace  invariant  p  while  they  execute,  then  as 
c  executes,  it  maintains  ip. 

Technically,  because  p  also  accepts  as  arguments  any  inter¬ 
val  on  a  trace  (it  has  free  variables  Mb,  Me),  we  require  that  p  be 
trace  composable,  meaning  that  if  p  holds  on  two  consecutive  in¬ 
tervals  of  a  trace,  then  it  hold  across  the  union  of  the  intervals. 
Formally,  p  is  trace  composable  if  Vmi,  m2,  M3,  i.  {p{ui ,  m2,  f)  A 
p(u2,U3,i))  =$•  p(ui,u3,i).  Further  p  has  to  hold  on  inter¬ 
vals  when  thread  i  is  silent.  This  prevents  us  from  derving  arbi¬ 
trary  properties  of  untrusted  code.  For  instance,  p  cannot  be  _L. 
(No  trace  can  satisfy  the  invariant  _L.)  This  rule  relies  on  check¬ 
ing  that  r  relates  to  the  invariant  p,  represented  as  the  relation 
confine  (r)  (ub-ue.i.p).  This  relation  means  that  p  is  both  the  par¬ 
tial  correctness  assertion  and  the  invariant  assertion  in  every  com¬ 
putation  type  comp(i7c)  occurring  in  r.  Similarly,  F  is  required  to 
map  every  free  variable  in  e  to  a  type  that  satisfied  the  same  rela¬ 
tion.  The  conclusion  is  indexed  by  the  invariant  Ub.ue.i.p  to  record 
the  fact  that  all  substitutions  for  variables  in  V  need  to  satisfy  p. 


confine  ( b )  ( Ub.ue.i.p ) 

confine  (n)  (ub.ue.i.p)  confine  (r2)  (ub.ue.i.p) 
confine  (II_:ti.t2)  ( Ub-Ue.i.p ) 


confine  (r)  (ub.ue.i.p) 

confine  (comp(ub.ue.i.(x:T.p,  p)))  (ub-Ue.i.p) 

The  CONFINE  rule  itself  does  not  stipulate  any  conditions  on 
the  predicate  p,  other  than  requiring  that  p  be  trace  composable. 
However,  if  e  is  of  function  type,  and  expects  some  interfaces  as 
Comp  arguments,  then  in  applying  CONFINE  to  e,  we  must  choose  a  p  to 
match  the  actual  effects  of  those  interfaces,  else  the  application  of 
e  to  the  interfaces  cannot  be  typed. 

The  rule  CONF-SUB  constrains  a  regular  typing  derivation  to  a 
specific  invariant  Ub-Ue.i.p.  This  is  sound  because  the  first  premise 
does  not  require  the  substitutions  for  V  to  satisfy  any  specific 
invariant,  so  they  can  be  narrowed  down  to  any  invariant.  The 
conclusion  must  be  tagged  with  the  invariant  p,  because:  (1)  r 
could  be  a  base  type,  in  which  case,  the  invariant  is  not  evident 
in  e’s  type;  and  (2)  the  types  in  T  are  allowed  to  contain  nested 
effects  that  are  not  p.  Reason  (1)  is  also  why  the  conclusion  of  the 
CONFINE  rule  is  indexed. 

Finally,  the  time  point  enables  expression  types  to  include  facts 
that  are  established  by  programs  executed  earlier.  For  example,  the 
return  type  of  letc(di;  «.ret(comp(o2)))  can  be  the  following, 
assuming  that  the  effect  of  action  <21  is  Ax  i  u,  and  a2  is  A2  i  u. 
comp(Mb.Me.i.(r:  b.3  u,  Ub<u<ue  AA2imA  3  j,  v! ,  u'  <u  A  Ax  j 
T)). 

We  wouldn't  have  been  able  to  know  that  A\  happens  before 
A2  without  the  time  point  in  the  expression  typing  rules. 

Logical  Reasoning  System  M  includes  a  proof  system  for  first- 
order  logic,  most  of  which  is  standard.  We  show  here  the  rule 
HONEST,  which  allows  us  to  deduce  properties  of  a  thread  based 
on  the  invariant  assertion  of  the  computation  it  executes. 

Mi,  m2,  i;  0;  E;  rL;  •;  A  h  c  :  p 
0;  E;  FL;  ■;  A  I-  start(7,  c,  m)  true 
©^hr^Fok 

- T - ; — - — 7 - ! - 7 -  He 

0;  E;  F  ;  T;  A  h  Vu  :b.(M  >m)  =>  p[u,  u  ,  I/ui,  m2,  i\  true 

If  we  know  that  a  thread  t  starts  executing  at  time  u  with  payload 
computation  c  (premise  start(r,  c,  u ))  and  computation  c  has  an 
invariant  postcondition  p,  then  we  can  conclude  that  at  any  later 
point  u' ,  p  holds  for  the  interval  (u,u'].  The  condition  that  c 
be  typed  under  an  empty  F  context  is  required  by  the  soundness 
proofs,  which  we  discuss  in  Section  5.4. 

4.2  Examples 

We  prove  the  following  state  continuity  property  of  Memoir.  It 
states  that  after  the  service  has  been  initialized  at  time  m  with  the 
key  skey,  whenever  we  invoke  the  service  with  state  at  a  time 
point  m,  later  than  ux,  it  must  be  the  case  that,  the  service  was  either 
initialized  or  produced  the  state  state  at  a  time  point  u' .  Moreover, 
there  is  no  invokations  of  the  service  between  u'  and  u. 

Mui,  state,  state',  skey,  Unit,  Sinit 

service_init(ii„it,  skey,  service,  Sinit)@Ui  =!- 
Vm  >  Mi.  service_invoke(i,  skey,  state,  state')@u  => 

3j,  v!  <  M.  ((3s.serviceJnvoke(ji,  skey ,  s ,  state)@u' 

V  service_try(j,  skey,  state)@u' 

V  servicejnit(j,  skey,  state)@u') 

A  (Vj'.  -'service_invoke(j',  skey,  ■  ■  ■ )  °  (u' ,  m)])) 

The  expressiveness  of  the  first-order  logic  enables  us  to  specify 
the  above  property,  where  the  ordering  of  events  is  crucial.  For  the 
full  proofs,  we  refer  the  reader  to  our  technical  appendix.  We  now 
revisit  our  discussion  in  Section  3  and  highlight  critical  uses  of  the 
System  M  program  logic  in  the  proof.  Recall  that  Memoir  has  two 
phases:  service  initialization  and  service  invocation.  During  initial¬ 
ization,  we  assume  that  the  Memoir  module  runmodule  (Figure  3) 
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is  assigned  NVRAM  location  Nloc  and  service  service.  The  per¬ 
mission  for  accessing  Nloc  (which  stores  the  secret  key  used  to  en¬ 
crypt  state  and  the  freshness  tag)  is  set  to  the  value  of  PCR  17.  This 
PCR  stores  a  nested  hash  sjiash  =  H(h\\codeJiash(service)). 
Here,  the  term  H(x)  denotes  hash  of  a:,  ||  denotes  concatenation, 
h  is  any  value  and  codeJiash{x )  is  a  hash  of  the  textual  reification 
of  program  x.  After  initialization,  we  prove  the  following  two  key 
invariants  about  executions  of  runmodule: 

1.  PCR  Protection:  The  value  of  PCR  17  contains  the  value 
sJiash  only  during  late  launch  sessions  running  runmodule. 

2.  Key  Secrecy:  If  the  key  corresponding  to  a  service  is  available 
to  a  thread,  then  it  must  have  either  generated  it  or  read  it  from 
Nloc. 

We  prove  these  invariants  using  the  HONEST  rule,  which  requires 
us  to  type  runmodule.  Since  runmodule  invokes  srvc,  we  need  to 
type  srvc.  Recall  that  srvc  is  adversarially-supplied  code.  Thus,  in 
typing  it  we  make  use  of  the  CONFINE  and  EQ  rules. 

For  the  first  invariant,  we  derive  the  necessary  type  for  srvc  by 
typing  against  the  TPM  interface.  The  particular  invariant  type  we 
wish  to  derive  about  srvc  is  that  in  a  late  launch  session  if  the  value 
in  the  PCR  has  been  set  to  a  value  that  is  not  a  prefix  of  sjiash, 
then  srvc  cannot  change  the  value  in  the  PCR  to  something  that  is 
a  prefix  of  sJiash  (i.e..  it  cannot  fool  the  NVRAM  access  control 
mechanism  into  believing  that  service  was  loaded  when  it  was  not). 

( srvc  ExtendPCR  ResetPCR  •  •  • )  (state,  req)  : 

cmp(tij,,  ue,  i.  -iPCRPrefix(pcrl7,  s_hash)@Ub  =$• 

Vu  £  (ub,Ue\.  (InLLSession (u,  runmodule,  i) 

=7  -iPCRPrefix(pcrl7,  S-hash)@u) 

To  derive  this  type  using  the  CONFINE  rule,  it  is  sufficient  to 
show  that  each  function  in  the  TPM  interface  can  be  assigned 
this  type.  For  example,  the  ExtendPCR  interface  satisfies  this 
invariant  as  it  can  only  extend  a  PCR  value.  This  derivation  is  a 
key  step  in  proving  that  the  service  does  not  change  the  value  of 
the  PCR  to  a  state  that  allows  any  entity  other  than  runmodule  to 
read  the  NVRAM  location  Nloc  (i.e.,  the  first  invariant  of  srvc  in 
Section  3.1). 

Similarly,  we  can  prove  that  the  permissions  on  Nloc  are  always 
tied  to  PCR  17  being  S-hash,  by  typing  srvc  with  the  invariant 
that  the  permissions  on  Nloc  cannot  be  changed.  Thus,  whenever 
Nloc  is  read  from,  the  value  of  PCR  17  is  sJiash.  We  also  show 
separately  that  in  any  particular  instance  of  runmodule  with  srvc, 
the  state  of  PCR  17  must  be  H(h\ \  codeJiash(srvc))  for  some 
h.  Therefore,  by  Nloc’ s  access  control  mechanism,  we  prove  that 
H  (h\\codeJiash(srvc))  =  sJiash  and  therefore  srvc  =  service 
(where  =  denotes  syntactic  equality). 

This  is  a  key  step  to  proving  the  key  secrecy  invariant.  It  al¬ 
lows  us  to  transfer  assumptions  about  the  known  Memoir  service 
service  to  the  adversarially-supplied  service  srvc.  Specifically,  we 
assume  that  service  has  the  following  type  rsec  (which  means  that 
if  the  input  of  service  does  not  contain  a  secret  s  then  the  out¬ 
put  doesn’t  contain  it)  and  an  invariant  KeepsSecret(i,  s,  Nloc) 
(which  means  that  s  is  not  sent  out  on  the  network  and  the  only 
NVRAM  location  s  possibly  written  to  is  Nloc). 

Tsec  =  Hi  :  msg.  cmp(iti,,  ue,  i. 

(x  :  msg.Vs.  -iContains(i,  s)  =>■  -iContainsja;,  s), 

Vs.  -iContains(i,  s)  =7  KeepsSecret(i,  s,  Nloc)  o  (ub,  ue])) 

Using  the  above  assumption  about  service  and  the  proof  that 
srvc  =  service,  we  use  Eq  to  derive  the  required  type  for  srvc 
(i.e..  the  second  invariant  of  srvc  discussed  in  Section  3.1). 

5.  Semantics  and  Soundness 

We  build  a  step-indexed  semantic  model  [2]  for  types  and  prove 
soundness  of  System  M  relative  to  that.  Central  to  the  seman¬ 


tics  is  the  notion  of  invariant.  We  build  two  sets  of  seman¬ 
tics:  one  is  a  semanticsx  for  invariants  of  the  form  ui ,.ue.i.<p 
(lZ£iNv\ub.ue.i.ip\ ),  and  the  other  is  an  invariant-indexed  seman¬ 
tics  for  types  (7 Z£(ub.Ue.i.p)\T\).  These  two  sets  coincide  when 
confine  ( t )  ( Ub-Ue.i.tp )  holds  (Lemma  1). 

5.1  A  Step-indexed  Semantics  for  Invariants 

We  define  1ZV R£inv\&It\u,  RCimv\&\t-,u  fd?  = 
Ub-Ue.i.tp),  the  sets  of  step-indexed  normal  forms,  expressions,  and 
computations  that  satisfy  the  invariant  ip  respectively.  T  is  the  trace 
that  the  term  is  evaluated  on  and  u  is  the  earliest  time  point  when 
the  term  is  evaluated.  These  sets  categorize  invariant-confined  ad¬ 
versarial  programs. 

We  first  define  the  set  of  step-indexed  computations  that  satisfy 
an  invariant  ip  below.  An  indexed  computation  ( k ,  c)  belongs  to 
this  relation  if  the  following  holds:  (1)  during  any  interval  ub  and 
ue  when  thread  t  executes  c  on  T,  p[ub,  ue,  t/ub,  ue,  i]  holds 
on  T  and  (2)  if  c  completes  at  time  ue,  then  the  expression  that 
c  returns,  indexed  by  the  remaining  steps  of  the  trace,  satisfies  the 
same  invariant. 

TZCmvlub.ue.i.ip}T;u  = 

{(k,  c )  |  \/ub,ue,  l,  u  <  ub  <  ue, 
let  7  =  [ ub ,ue,  t/ui,U2,i], 

jb  is  the  length  of  the  trace  from  time  ub  to  the  end  of  T 
je  is  the  length  of  the  trace  from  time  ue  to  the  end  of  T 

k  >  jb  >  je, 

the  configuration  at  time  tii  is  —^4  ab  >  •  •  •  ,(f,  x.c'  ::  K;c)  ■  ■  ■ 
the  configuration  at  time  ue  is  -~4>  ae  >  ■  ■  ■  ,  (t;  K;  c'[e' /x\)  ■  ■  ■ 
between  ub  and  ue,  the  stack  of  thread  i  always  contains  x.c'wK 
=4-  ( je,e ')  £  R£iNv\ub.ue.i.ip\T-,uE  and  T  l=e  p[e' /x]} 
n  {(fc,c)  |  \/uB,uE,t,u  <uB  <  uE,  let  7  =  [uB,  uE,  t/u\,  u2,  i], 
jb  is  the  length  of  the  trace  from  time  ub  to  the  end  of  T, 
je  is  the  length  of  the  trace  from  time  ue  to  the  end  of  T 

k>jb>  je, 

the  configuration  at  time  ub  is  -4-  ab  t>  •  •  •  ,  (i;  x.c'  ::  K;  c)  ■  ■  ■ 
between  ub  and  ue  (inclusive),  the  stack  of  thread  i  always 
contains  prefix  x.c'v.K 

=>T^eV>} 

We  explain  some  parts  of  the  definition.  At  time  ub,  thread  i 
begins  to  run  c,  which  is  formalized  by  requiring  that  the  thread 
(t;  K\  c)  is  in  the  configuration  right  after  time  ub ■  At  time  ue,  c 
returns  an  expression  e!  to  its  context,  which  is  formalized  by  re¬ 
quiring  that  thread  t’s  top  frame  is  popped  off  the  stack  with  e!  sub¬ 
stituted  for  x,  and  that  the  top  frame  remains  unchanged  between 
ub  and  ue-  Both  ub  and  ue  are  within  the  last  k  configurations 
of  the  trace  because  the  length  of  the  trace  is  n  and  k  >  jb  >  je- 
The  earliest  time  point  to  interpret  e'  is  ue,  which  is  when  e!  is 
returned.  The  index  for  the  returned  expression  e!  is  je,  which  is 
less  than  k.  Hence,  our  step-indices  count  the  number  of  remain¬ 
ing  steps  in  the  trace.  Moreover,  these  remaining  steps  include  not 
just  steps  of  the  thread  containing  c,  but  also  other  threads.  This 
ensures  the  computation  c’s  postconditions  hold  even  when  it  ex¬ 
ecutes  concurrently  with  other  threads  (robust  safety;  Theorem  4). 
For  the  second  set,  c  must  not  have  finished  at  ue,  so  between  Ub 
and  ue,  no  frame  on  the  stack  x.c '  ::  K  should  have  been  popped. 

The  relation  lZViNv\ub.Ue.i.p\T-,u  includes  all  normal  expres¬ 
sions  that  are  not  introduction  forms  (i.e.  functions  and  suspended 
computations).  These  normal  forms  cannot  be  further  reduced  in 
any  evaluation  context,  and  therefore  do  not  have  any  effects  (they 
are  silent).  A  function  is  in  this  relation  if,  given  arguments  main¬ 
taining  the  same  invariant,  the  function  body  also  maintains  that 
invariant.  As  is  standard,  the  step-index  of  the  argument  is  smaller 
than  that  of  the  function  because  function  application  consumes  a 
step.  The  case  of  polymorphic  functions  is  defined  similarly.  A  sus- 
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pended  computation  comp(c)  belongs  to  this  relation  if  c  belongs 
to  the  lZCwv\ub-ue.i.ip\T-,u  relation  dehned  earlier. 
IZVmvlub-Ue-i.ipjr-.u  ={(fc,nf)|  nf  ^  \x.e,  AX.e,  comp(c)} 
U{(fe,  comp(c))  |  (k,  c)  G  7 ZCmv\ub-ue.i.ip\r-,u} 

U{(/c,  Xx.e')  |  Wj,u',j  <  k,u'  >  u 

{j,  e')  G  TZ£mvlub-Ue.i.ipjT;ui 
=>  (j,e[e'/x})  G  TZ£mv[ub.Ue.i.ifijT;u>} 

U  {(k,  Ax.e)  |  Wj,j  <  k  =>  (j,e)  G  TZ£mvlub.Ue.i.pjT-.u} 

The  definition  of  the  lZ£iNv\ub-Ue.i.ip\T-,u  relation  is  standard: 
if  e  evaluates  to  a  normal  form  nf  in  m  steps,  then  nf  has  to  be  in 
the  value  relation  indexed  by  the  number  of  the  remaining  steps. 

£Z£  mvlub-Ue-i.ifil  T;u= 

{(k,  e)  | VO  <  m  <  k,e  — e! 

=$■  ( n  -  m,  e')  G  TZViNv\ub.Ue.i.p\T-,u} 

This  relation  includes  all  programs  (including  ill-typed  ones) 
that  satisfy  the  invariant  if  executed  in  a  context  that  satisfies  that 
invariant.  This  relation  justifies  the  soundness  of  CONFINE  rule. 
Confined  adversary-supplied  code  is  in  the  lZ£mv\v>b.Ue.i.p\T-,u 
relation  (Lemma  2). 

5.2  A  Step-indexed  Model  for  Types 

As  programs  include  adversarial  code,  which  requires  its  evaluation 
context  to  maintain  an  invariant,  the  semantics  of  types  need  to  be 
indexed  by  invariants  of  the  form  Ub-Ue-i.p. 

Types  The  interpretation  of  an  expression  type  r  is  a  semantic 
type,  written  C.  Each  C  is  a  set  of  pairs;  each  pair  contains  a 
step-index  and  an  expression.  The  expression  has  to  be  in  normal 
form,  denoted  nf,  that  cannot  be  reduced  further  under  call-by- 
name  /3-reduction.  C  contains  the  set  of  all  possible  indices  and  all 
syntactically  well-formed  normal  forms.  This  is  used  to  interpret 
the  type  any  of  untyped  programs.  As  usual,  we  require  that  C 
be  closed  under  reduction  of  step-indices.  Let  V(S)  denote  the 
powerset  of  S.  The  set  of  all  semantic  types  is  denoted  Type. 

Type  =={C  |  C  G  \  j  G  N})  A 

(Vfc,nf,  (k,  nf)  G  C  A  j  <  k  =>  (j,  nf)  G  C)  A 
(Vfc,nf,nf  ^  Xx.e,  AX.e,  comp(e)  =>  (j,  nf)  G  C)} 

Interpretation  of  expression  types  We  define  the  value  and  ex¬ 
pression  interpretations  of  expression  types  r  (written  7\/V(<f>)[ tJo;T;u 
and  1Z£(&)\t\o,t^u),  as  well  as  the  interpretation  of  computation 
types  r/  (written  TZC{^)\rj\e-,T\u)  simultaneously  by  induction  on 
types  (<f>  =  Ub-Ue.i.p).  Let  8  denote  a  partial  map  from  type  vari¬ 
ables  to  Type,  T  denote  the  trace  that  expressions  are  evaluated  on, 
and  w  denote  the  time  point  after  which  expressions  are  evaluated. 
Figure  1 1  defines  the  value  and  expression  interpretations.  We  omit 
the  cases  for  any  and  X. 

The  interpretation  of  the  base  type  b  is  the  same  as  1ZV  inv\$\9-,T\v.- 
The  type  b  itself  doesn’t  specify  any  effects,  and,  therefore,  expres¬ 
sions  in  the  interpretation  of  b  only  need  to  satisfy  the  invariant 
$.  The  interpretation  of  the  function  type  IIa':Ti.T2  is  nonstan¬ 
dard:  the  substitution  for  the  variable  x  is  an  expression,  not  a 
value.  This  simplifies  the  proof  of  soundness  of  function  applica¬ 
tion:  since  System  M  uses  call-by-name  /3-reduction,  the  reduction 
of  ei  e2  need  not  evaluate  e2  to  a  value  before  it  is  applied  to  the 
function  that  ei  reduces  to.  Further,  the  definition  builds-in  both 
step-index  downward  closure  and  time  delay:  given  any  argument 
e'  that  has  a  smaller  index  j  and  evaluates  after  v! ,  which  is  later 
than  it,  the  function  application  belongs  to  the  interpretation  of  the 
argument  type  with  the  index  j  and  time  point  v! .  The  interpreta¬ 
tion  of  the  function  type  also  includes  normal  forms  that  are  not  A 
abstractions  that  are  in  the  1ZV iNv\v,b.ue.i.<p\9-,T-:u  relation.  These 
are  adversary-supplied  untyped  code,  which  is  required  by  our  type 
system  to  satisfy  the  invariant  Ub-Ue-i.p. 

The  interpretation  of  the  monadic  type  includes  suspended  com¬ 
putations  ( k ,  comp(c))  such  that  ( k ,  c)  belongs  to  the  interpretation 


of  computation  types,  defined  below.  Because  c  executes  after  time 
u,  the  beginning  and  ending  time  points  selected  for  evaluating  c 
are  no  earlier  than  u.  Similar  to  the  interpretation  of  the  function 
type,  the  interpretation  of  the  monadic  type  also  includes  normal 
forms  that  are  not  monads,  but  satisfy  the  invariant  Ub.ue.i.ip.  The 
interpretation  of  the  any  type  contains  all  normal  forms. 

We  lift  the  value  interpretation  7?.V(<f>)[r]e;7-;U  to  the  expres¬ 
sion  interpretation  (T,)[r]g;7-;ll  in  a  standard  way. 

Interpretation  of  formulas  Formulas  are  interpreted  on  traces.  We 
write  T  \=  p  to  mean  that  ip  is  true  on  trace  T. 


T\=Pe 

iff 

P  e  G  e(T) 

T  N  start (7,  c,  U) 

iff 

thread  /  has  c  as  the  active 

computation  with  an  empty  stack 

at  time  U  on  T 

T  N  \/x:r.p 

iff 

Ve,  e  G  [t]  implies  T  N  p[e/x\ 

We  assume  a  valuation  function  e(T)  that  returns  the  set  of 
atomic  formulas  that  are  true  on  the  trace  T.  For  first-order  quantifi¬ 
cation.  we  select  terms  in  the  denotation  of  the  types  ([r]),  which 
is  defined  as  follows: 

[any]  =  {e  |  e  is  an  expression} 

[b]  =  (e  |  e  -I*  6w} 

[ILe:ti.T2]  =  (Ax.e  |  Ve',e'  G  [n]  =1-  ei[e'/*]  £  [at]} 

The  types  of  the  logical  variables  can  only  be  b,  any  and  func¬ 
tion  types.  The  interpretation  of  these  types  is  much  simpler  than 
that  of  expressions. 

Interpretation  of  computation  types  The  interpretation  of  a 

computation  type,  TZC(ub.Ue.i.pi)lx:T.pje;p.s,  is  a  set  of  step- 
indexed  computations.  The  trace  T  contains  the  execution  of  the 
computation.  2  =  Ub,ue,i  has  its  usual  meaning,  except  that  Ub, 
we,  and  i  are  concrete  values,  not  variables. 

We  define  the  semantics  of  the  partial  correctness  type,  denoted 
TZC(ub.Ue.i.pi)lx\T.p}9-T.B,  below.  Informally,  it  contains  the  set 
of  indexed  computations  c,  if  T  contains  a  complete  execution  of 
the  computation  c  in  the  time  interval  ( Ub ,  we]  in  thread  t  such  that 
c  returns  e  at  time  we  and  it  is  also  the  case  that  T  satisfies  p[e'  /x] 
and  that  e!  has  type  r  semantically.  Similar  to  the  1ZCinvI^}t;u 
relation,  these  remaining  steps  include  not  just  steps  of  the  thread 
executing  c,  but  also  other  threads.  The  invariant  Ub-Ue-i.pi  is  used 
in  the  specification  of  the  return  value. 

IZClpib.Ue.i.p^lx-.T.plg-Tm.ui.i  =  {(k,c)  I 

j b  is  the  length  of  the  trace  from  time  ui  to  the  end  of  T 
je  is  the  length  of  the  trace  from  time  U2  to  the  end  of  T 

k  >  jb  >  je, 

the  configuration  at  time  ui  is  —4  Ob  >  •  •  •  ,  (t;  x.c'  ::  K;  c)  •  •  • 
the  configuration  at  time  112  is  ^4  ae  >  •  •  •  ,  (r;  K;  c'[e' /x\)  ■  ■  ■ 
between  Mi  and  W2,  the  stack  of  thread  i  always  contains  x.c'v.K 
=>  ( je,e ')  G  U£ (Ub.Ue.i.pi)lT}e;T;u2 
and  T  1=  p[e' /x]} 

The  interpretation  for  the  invariant  assertions  is  defined  simi¬ 
larly,  and  we  omit  its  definition.  Because  c  is  being  evaluated  and 
produces  no  return  value,  the  interpretation  need  not  be  indexed  by 
an  invariant.  We  write  _  in  place  of  the  invariant. 


5.3  Examples 


We  illustrate  some  key  points  of  our  semantic  model.  We  instantiate 
the  next  function  (Section  2)  for  the  read  action  as  follows: 


next(cr,  read  ei  62)  = 


(o,o(£))  £  G  dom(a) 

(<7,  stuck)  £  (j  dom(a) 


Predicate  stuck  1  u  is  true  when  thread  1  is  in  the  stuck  state  at 
time  u.  The  first  example  below  shows  the  semantic  specification  of 
the  read  action.  The  partial  correctness  assertion  states  that  as  long 
as  the  location  l  being  read  is  allocated  when  the  read  happens, 
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1ZV(ub.Uz.i.ip)\b\e-,T-,u  =  {(fc,  e)  |  ( k,e )  G  TVWy[Mb.uei.v?]kT;u} 

7?.V(Mi,.Mei.V5)[nx:ri.T2]0;r;u  =  {(k,Xx.e)  \  Mj  <  k,Mu'  ,u'  >  u,Me' ,(j,e')  G  /^(ui.Mei.ipHTilkTiu' 

=k  (i,ei[e'/a:])  G  ^f(u6.Mei.ip)[T2[e7.'E]]e;r;U'}u 
{(k,  nf )  j  nf  ^  Xx.e  =7  (fc,  nf)  G  T£Wy[M(,.Mei.¥>|T;u} 
1lV(Ub.Ue.i.<p)lVX.T]9;T;u  =  {(fc,  AA')  I  Vj  <  fc,VC  G  Type  =7  (j,  e')  G  T£(Mb.Mei.v7[T]0[A',->C];T;u}U 

{(fc,nf)  I  nf  ^  AA.e  =7  (fc,  nf)  G  TZSmvlub-Ue.i.ipjr-.u} 
lZV(ub.ue.i.ip)lcomp(ui .U2 -i.(x:T.(pi ,  <fi2))]e-,T;u  = 

{(fc,  comp(c))  |  Vub, mb,  l,u  <  ub  <  mb,  let  y  =  [mb,  mb,  t/ui,U2,  i] 

(fc,  c)  G  TZC(ub.ue.i.ip)lx:Tj.(piyje}T;uB,uE,L  n  RC(-)[m]»;r;»B,uE,.}u 
{(fc,  nf )  |  nf  comp(c)  =7  (fc,  nf)  G  TZ£iNv\ui.U2-i.ffi\r-,v,} 

TZ£(ub-ue.i.ifi)lrjg;r-,u  =  {(fc,  e)  |  Mj  <m,e  e'  ^>=7  (fc  -  m,  e')  G  7?.V(Mi,.Mei.y?)[lT]]0;r;U} 


Figure  7.  Semantics  for  inv-indexed  types 


the  thread  does  not  get  stuck  and  the  expression  y  returned  by 
read  is  the  in-memory  content  v  of  the  location  read.  The  invariant 
assertion  states  that  between  the  time  the  read  action  becomes  the 
redex  and  the  time  it  reduces,  the  thread  is  not  stuck. 

1.  (n,  act(read  e))  G 

lZC($)ly:anyX/l,  i>,mem  l  v  U2  A  eval  e  l  =7 

(y  =  e)  A  -"Stuck  *@(Ml,U2]]0;T;Mi,tr2,i 

2.  TC($)[Vj,  I,e,L(^Writej  l  e  f)]s;r;U1,u2,i  =  0 

The  second  example  states  that  the  interpretation  of  the  invariant 
computation  type  (Vj,  l,  e,  t. (-"Write  j  l  e  f)),  which  states  that  no 
thread  performs  a  write  action  at  any  time,  is  the  empty  set.  This 
is  because  the  semantics  of  invariant  assertions  require  that  any 
trace  containing  the  execution  of  such  a  computation  satisfy  this 
invariant.  A  trivial  counterexample  is  a  trace  containing  a  second 
thread  that  writes  to  memory. 

5.4  Soundness  of  the  Logic 

We  prove  that  our  type  system  is  sound  relative  to  the  semantic 
model  of  Section  5.2.  We  start  by  defining  valid  substitutions  for 
contexts.  We  write  TT[©]  to  denote  the  set  of  valid  semantic 
substitutions  for  0.  We  write  lZG{Q)\£\e-,T-,u  to  denote  a  set  of 
substitutions  for  variables  in  T.  Each  indexed  substitution  is  a  pair 
of  an  index  and  a  substitution  7  for  variables. 

We  first  prove  two  key  lemmas.  Lemma  1  states  that  when  all 
the  effects  in  r  are  Ub-Ue.i.ip,  then  the  interpretation  of  r  is  the 
same  as  the  interpretation  of  the  invariant  ub.ue.i.ip.  The  proof  is 
by  induction  on  the  structure  of  r. 

Lemma  1  (Indexed  types  are  confined),  confine  (r)  ( ub.ue.i.ip ) 
implies  lZ£(ub.Ue.i.<p)lT}9;T;u  =  1Z£ Mvlub-Ue-i.(pjT;u. 

The  following  lemma  states  that  if  e  does  not  contain  any  ac¬ 
tions,  then  e,  with  its  free  variables  substituted  by  expressions 
that  satisfy  an  invariant  ub.ue.i.ip,  satisfies  the  same  invariant.  The 
proof  is  by  induction  on  the  structure  of  e. 

Lemma  2  (Invariant  confinement).  If  ip  is  composable,  and  thread 
l  silent  between  time  ub  and  ue  implies  T  1=  p[ub,  ue ,  / /ub,  Me,  i], 
then  f  a(e)  =  0,  f  v(e)  G  dom(7),  and  (n,  7)  G  TZ£ iNv\ub-Ue.i.ip\T-,u 
imply  (n,  e 7)  G  U£mv[ub.Ue.i.<p}T-,u. 

The  soundness  theorem  (Theorem  3)  has  two  different  state¬ 
ments  for  judgements  with  the  empty  qualifier  and  the  invariant 
qualifier.  The  ones  for  judgments  with  an  empty  qualifier  state  that 
for  any  invariant  <f>,  if  the  substitution  for  T  belongs  to  the  inter¬ 
pretation  of  types,  then  the  expression  (computation)  belongs  to 
the  interpretation  of  its  type,  indexed  by  the  same  invariant  <f>.  For 
judgments  qualified  by  a  specific  invariant  <f>,  the  soundness  theo¬ 
rem  statements  are  also  specific  to  that  <f>. 

Theorem  3  (Soundness). 


Assume  that  V A  ::  a  G  S,  Vd?,  T,  n,  m,  ( n,A )  G  TZA(f^)\a\.-r-,u, 

1.  (a)  £  ::  u  :  b;  0;  E;  rt;  T;  A  h*  e  :  r,  V0  G  7£T[0], 

y-yL  G  ITL],  VI/,  U’,U’>  U,  let  7„  =  {[7/4  VT,  Vn,  7, 

(n; 7)  G  HG(<&)\r'yu‘yL'\g.T.ul,  T  t=  A-fyu-yL  implies 
[n\e 7)  G  TZ£(^)lTyyu7LJg-r-,u' 

(b)  £  ::  Mi,  M2,  v,  0;  E;  TL;  T;  A  K5  c  :  t),  V  m,  Mb,  Mb, 
t  s.t.  u  <  mb  <  mb,  let  71  =  [mb,  mb,  t/ui,U2,i]  V#  G 
^TI0],V7l  G  [rL],VT,Vn,7,  (n;7)  e 
T  \=  AyyiyL  implies  (n;  cy)  G  UC($)lriyyi'yLJg-,T-,uB,uE,i 

2.  (a)  £  ::  u  :  b;  0;  S;  T1";  T;  A  h  e  :  r,  V0  G  7£T[©], 

MyL  G  irL],  VI/,  I/',  U'  >  U,  let  yu  =  [U/u],  VT, 
V<f>,  Vn,  7,  (n;  7)  G  T(/('I>)[r7u7-L]e.r.(//,  T  1=  A77U71, 
implies  (rr,ey)  G  H£(fb)\T'yyv.'yL\g.T.u, 

(b)  £  ::  Mi,  M2,  r,  0;  E;  T1';  T;  A  h  c  :  r),  V  u,  mb,  mb, 
i  s.t.  m  <  mb  <  ue,  let  71  =  [mb,  mb,  <-/mi,  M2,  *] 

V6>  G  TT[0],  VyL  G  |TL],  VT,  V$,  Vn,7,(n; 7)  G 
TZG{^)\TyiyL\g.r-u,  T  N  Ayy\yL  implies  (n;  c 7)  G 
TC(<I>)|[?777i7Z'J  G\T -,ub 

(cjf  ::  OjET^rjA  h  p  true,  V6»  G  TT[0],  V71,  G 
[TL],  VT,  V<E>,  Vn,  7,  m,  (n;  7)  G  T  N 

AyLy  implies  T  1=  pyLy 

We  prove  the  soundness  theorem  by  induction  on  typing  deriva¬ 
tions  and  a  subinduction  on  step-indices  for  the  case  of  fixpoints. 

The  proof  of  soundness  of  the  rule  CONFINE  (2. (a))  first  uses 
Lemma  1  to  show  that  a  substitution  7  for  T,  where  7  maps  each 
variable  in  T  to  the  type  interpretation  of  T(a;)  is  also  a  substitution 
where  7(0:)  belongs  to  the  interpretation  of  the  invariant.  Then  we 
use  Lemma  2  to  show  that  the  untyped  term  ey  belongs  to  the 
interpretation  of  the  invariant.  Applying  Lemma  1  again,  we  can 
show  that  ey  is  in  the  interpretation  of  r.  The  confine  relations  in 
the  premises  are  key  to  this  proof.  The  proof  of  the  rule  Conf-Sub 
uses  the  induction  hypothesis  directly:  a  derivation  with  an  empty 
qualifier  can  pick  substitutions  with  any  invariant  ip. 

To  prove  the  soundness  of  HONEST,  we  need  to  show  that  given 
any  substitution  (n,  7)  for  T,  the  trace  satisfies  the  invariant  of  c. 
From  the  last  premise  of  HONEST,  we  know  that  c  starts  with  an 
empty  stack,  c  can  never  return  because  there  is  no  frame  to  be 
popped  off  the  empty  stack.  Therefore,  at  any  time  point  after  c 
starts,  the  invariant  of  c  should  hold.  However,  the  length  of  the 
trace  after  c  starts,  denoted  m,  is  not  related  to  n.  To  use  the 
induction  hypothesis,  we  need  to  use  substitution  (m,  7)  for  T. 
Because  T  is  empty,  we  complete  the  proof  by  using  the  induction 
hypothesis  on  the  first  premise  given  an  empty  substitution  (m,  •). 

An  immediate  corollary  of  the  soundness  theorem  is  the  follow¬ 
ing  robust  safety  theorem,  which  states  that  the  invariant  assertion 
of  a  computation  c’s  postcondition  holds  even  when  c  executes  con¬ 
currently  with  other  threads,  including  those  that  are  adversarial. 
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The  theorem  holds  because  we  account  for  adversarial  actions  in 
the  definition  of  TZC{ub-Ue.i.p)\rj\e-^-ts.  A  similar  theorem  holds 
for  partial  correctness  assertions. 

Theorem  4  (Robust  safety).  If 

•  ui,  U2,i;  A  I-  c  :  ip,  T 1=  A, 

•  T  is  a  trace  obtained  by  executing  the  parallel  composition  of 
threads  of  ID  (ii,  ..  ik), 

•  at  time  Ub,  the  computation  that  thread  tj  is  about  to  run  is  c 

•  at  time  Ue,  c  has  not  returned 

then  TN  <p  [Ub ,  Ue ,  tj  /ui,U2,i\- 

6.  Discussion 

Proving  non-stuckness  We  can  use  System  M’s  invariant  asser¬ 
tions  to  verify  that  a  program  always  remains  non-stuck.  Recall 
the  example  from  Section  5.3.  We  can  prove  non-stuckness  for  a 
computation  c  by  showing  that  it  has  the  invariant  postcondition 
(-■stuck  i)@(ub,  ue].  To  complete  such  a  proof,  we  would  require 
that  all  action  types  assert  non-stuckness  in  their  postconditions  un¬ 
der  appropriate  assumptions  on  the  past  trace.  For  instance,  the  first 
example  in  Section  5.3  states  that  we  can  assert  non-stuckness  in 
the  postcondition  of  the  read  action,  if  the  memory  location  being 
read  has  been  allocated. 

Choice  of  reduction  strategy  System  M  uses  call-by-name  /)- 
reduction  for  expressions,  which  simplies  the  operational  semantics 
as  well  as  the  soundness  proofs.  Other  evaluation  strategies  we  have 
considered  force  us  to  use  /3-equality  in  place  of  syntactic  equality 
in  Eq.  This  makes  the  system  design,  semantics,  and  soundness 
proofs  very  complicated.  In  particular,  the  Eq  rule  that  uses  /3- 
equality  cannot  be  proven  sound  in  a  model  where  expressions  are 
indexed  by  their  reduction  steps. 

7.  Related  Work 

Hoare  Type  Theory  (HTT)  In  HTT  [21-23],  a  monad  classifies 
effectful  computations,  and  is  indexed  by  the  return  type,  a  pre¬ 
condition  over  the  (initial)  heap,  and  a  postcondition  over  the  ini¬ 
tial  and  final  heaps.  This  allows  proofs  of  functional  correctness  of 
higher-order  imperative  programs.  The  monad  in  System  M  is  mo¬ 
tivated  by,  and  similar  to,  HTT’s  monad.  However,  there  are  several 
differences  between  System  M's  monad  and  HTT’s  monad.  A  Sys¬ 
tem  M  postcondition  is  a  predicate  over  the  entire  execution  trace, 
not  just  the  initial  and  final  heaps  as  in  HTT.  It  also  includes  an  in¬ 
variant  assertion  which  holds  even  if  the  computation  does  not  re¬ 
turn.  This  change  is  needed  because  we  wish  to  prove  safety  prop¬ 
erties,  not  just  properties  of  heaps.  Although  moving  from  predi¬ 
cates  over  heaps  to  predicates  over  traces  in  a  sequential  language 
is  not  very  difficult,  our  development  is  complicated  because  we 
wish  to  reason  about  robust  safety,  where  adversarial,  potentially 
untyped  code  interacts  with  trusted  code.  Hence,  we  additionally 
incorporate  techniques  to  reason  about  untyped  code  (rules  Eq  and 
CONFINE).  We  also  exclude  standard  Hoare  pre-conditions  from 
computation  types.  Usually,  pre-conditions  ensure  that  well-typed 
programs  do  not  get  stuck.  We  argued  in  Section  6  that  in  Sys¬ 
tem  M  this  property  can  be  established  for  individual  programs  us¬ 
ing  only  invariant  postconditions.  The  standard  realizability  seman¬ 
tics  of  HTT  [29]  are  based  on  a  model  of  CPOs,  whereas  our  model 
is  syntactic  and  step-indexed  [2], 

RHTT  [24]  is  a  relational  extension  of  HTT  used  to  reason  about 
access  and  information  flow  properties  of  programs.  That  extension 
to  HTT  is  largely  orthogonal  to  ours  and  the  two  could  potentially 
be  combined  into  a  larger  framework  with  capabilities  of  both. 
The  properties  that  can  be  proved  with  RHTT  and  System  M  are 
different.  System  M  can  verify  safety  properties  in  the  presence  of 


untyped  adversaries;  RHTT  verifies  relational,  non-trace  properties 
assuming  fully  typed  adversaries. 

LS2  and  PCL  System  M  is  inspired  by  and  based  upon  a  prior 
program  logic,  LS2,  for  reasoning  about  safety  properties  of  first- 
order  order  programs  in  the  presence  of  adversaries  [14],  The  main 
conceptual  difference  from  LS2  is  that  in  System  M  trusted  and  un¬ 
trusted  components  may  exchange  code  and  data,  whereas  in  LS2 
this  interface  is  limited  to  data.  Our  CONFINE  rule  for  establishing 
invariants  of  an  unknown  expression  from  invariants  of  interfaces 
it  has  access  to  is  based  on  a  similar  rule  called  RES  in  LS2.  The 
difference  is  that  System  M’s  rule  allows  typing  higher-order  ex¬ 
pressions,  which  makes  it  more  complex,  e.g.,  we  must  index  the 
typing  derivations  with  invariants  and  define  interpretations  for  in¬ 
variants  based  on  step-indexing  programs  to  obtain  soundness.  LS2 
itself  is  based  on  a  logic  for  reasoning  about  Trusted  Computing 
Platforms  [10]  and  Protocol  Composition  Logic  (PCL)  for  reason¬ 
ing  about  safety  properties  of  cryptographic  protocols  [9]. 

Rely-guarantee  reasoning  There  are  two  broad  kinds  of  tech¬ 
niques  to  prove  invariants  over  state  shared  by  concurrent  pro¬ 
grams.  Coarse-grained  reasoning  followed  in.  e.g..  Concurrent 
Separation  Logic  (CSL)  [6]  and  the  concurrent  version  of  HTT  [23], 
assumes  clearly  marked  critical  regions  and  allows  programs  to  vi¬ 
olate  invariants  on  shared  state  only  within  them.  This  assumes 
that  resource  contention  is  properly  synchronized,  which  is  gener¬ 
ally  unrealistic  when  executing  concurrently  with  an  unspecified 
adversary.  In  contrast,  fine-grained  reasoning  followed  in,  e.g., 
the  method  of  Owicki-Gries  [26]  and  its  successor,  rely-guarantee 
reasoning  [17],  makes  no  synchronization  assumption,  but  has  a 
higher  proof  burden  at  each  individual  step  of  a  computation.  In 
proofs  with  System  M,  including  the  Memoir  example  in  this  pa¬ 
per,  we  use  a  template  for  rely-guarantee  reasoning  taken  from 
LS2.  The  methods  used  to  prove  invariants  within  this  template  are 
different  because  of  the  new  higher-order  setting. 

Type  systems  that  reason  about  adversary-supplied  code  The 

idea  of  using  a  non-informative  type,  any,  for  typing  expressions 
obtained  from  untrusted  sources  goes  back  to  the  work  of  Abadi  [1], 
Gordon  and  Jeffrey  develop  a  very  widely  used  proof  technique 
for  proving  robust  safety  based  on  this  type  [15],  In  their  system, 
any  program  can  be  syntactically  given  the  type  any  by  typing  all 
subexpressions  of  the  program  any.  Although  System  M’s  use  of 
the  any  type  is  similar,  our  proof  technique  for  robust  safety  is 
different.  It  is  semantic  and  based  on  that  in  PCL — we  allow  for 
arbitrary  adversarial  interleaving  actions  in  the  semantics  of  our 
computation  types  (relation  TZC(&)[r]j8-tT-,H  in  Section  5.2).  Due 
to  this  generalized  semantic  definition,  robust  safety  (Theorem  4) 
is  again  a  trivial  consequence  of  soundness  (Theorem  3). 

Several  type  systems  for  establishing  different  kinds  of  safety 
properties  build  directly  or  indirectly  on  the  work  of  Abadi  [1]  and 
Gordon  and  Jeffrey  [15],  Of  these,  the  most  recent  and  advanced  are 
RCF  [3]  and  its  extensions  [4,  31],  RCF  is  based  on  types  refined 
with  logical  assertions,  which  provide  roughly  the  same  expressive¬ 
ness  as  System  M’s  dependently-typed  computation  types.  By  de¬ 
sign.  RCF’s  notion  of  trace  is  monotonic:  the  trace  is  an  unordered 
set  of  actions  (programmer  specified  ghost  annotations)  that  have 
occurred  in  the  past  [13].  This  simplified  design  choice  allows  scal¬ 
able  implementation.  On  the  other  hand,  there  are  safety  properties 
of  interest  that  rely  on  the  order  of  past  events  and,  hence,  cannot  be 
directly  represented  in  RCF’s  limited  model  of  traces.  An  example 
of  this  kind  is  measurement  integrity  in  attestation  protocols  [10, 
Theorems  2  &  4],  In  contrast  to  RCF,  we  designed  System  M  for 
verification  of  general  safety  properties  (so  the  measurement  in¬ 
tegrity  property  can  be  expressed  and  verified  in  System  M),  but 
we  have  not  considered  automation  for  System  M  so  far. 
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F*  [31]  extends  F7  with  quantified  types,  a  rich  binding  system, 
concrete  refinements  and  several  other  features  taken  from  the  lan¬ 
guage  Fine  [30].  This  allows  verification  of  stateful  authorization 
and  information  flow  properties  in  F*.  Quantified  predicates  can 
also  be  used  for  full  functional  specifications  of  higher-order  pro¬ 
grams.  Although  we  have  not  considered  these  applications  so  far, 
we  believe  that  System  M  can  be  extended  similarly. 

The  main  novelty  of  System  M  compared  to  the  above  men¬ 
tioned  line  of  work  lies  in  the  Eq  and  CONFINE  rules  that  statically 
derive  computational  effects  of  untyped  adversary-supplied  code. 

Code-Carrying  Authorization  (CCA)  [20]  is  another  extension 
to  [15]  that  enforces  authorization  policies.  CCA  introduces  dy¬ 
namic  type  casts  to  allow  untrusted  code  to  construct  authoriza¬ 
tion  proofs  (e.g.,  Alice  can  review  paper  number  10).  The  language 
runtime  uses  logical  assertions  made  by  trusted  programs  to  con¬ 
structs  proofs  present  in  the  type  cast.  The  soundness  of  type  cast  in 
CCA  relies  on  the  fact  that  untrusted  code  cannot  make  any  asser¬ 
tions  and  that  it  can  only  use  those  made  by  trusted  code.  Similar 
to  CCA,  System  M  also  assigns  untrusted  code  descriptive  types. 
CCA  checks  those  types  at  runtime;  whereas  the  CONFINE  rule  as¬ 
signs  types  statically. 

Verification  of  TPM  and  Protocols  based  on  TPM  Existing  work 
on  verification  of  TPM  APIs  and  protocols  relying  on  TPM  APIs 
uses  a  variety  of  techniques  [7,  10-12,  16].  Gurgens  et  al.  uses  au¬ 
tomaton  to  model  the  transitions  of  TPM  APIs  [16].  Several  re¬ 
sults  [7,  1 1,  12]  use  the  automated  tool  Proverif  [5],  Proverif  trans¬ 
lates  protocols  encoded  in  Pi  calculus  into  horn  clauses.  To  check 
security  properties  such  as  secrecy  and  correspondence,  the  tool 
runs  a  resolution  engine  on  these  horn  clauses  and  clauses  repre¬ 
senting  an  Dolev-Yao  attacker.  Proverif  over-approximates  the  pro¬ 
tocol  states  and  works  with  a  monotonic  set  of  facts.  Special  tech¬ 
niques  need  to  be  applied  to  use  Proverif  to  analyze  stateful  proto¬ 
cols  such  as  ones  that  use  TPM  PCRs  [12].  System  M  is  more  ex¬ 
pressive:  it  can  model  and  reason  about  higher-order  functions  and 
programs  that  invoke  adversary-supplied  code.  Reasoning  about 
shared  non-monotonic  state  is  possible  in  System  M.  However, 
verification  using  System  M  requires  manual  proofs.  It  is  unclear 
whether  our  Memoir  case  study  can  be  verified  using  the  techniques 
introduced  in  [12],  as  it  requires  reasoning  about  higher-order  code. 

A  proof  of  safety  formalized  in  TLA+  [19]  was  presented 
in  the  Memoir  paper  [28],  They  showed  that  Memoir’s  design 
refines  an  obviously  safe  specification  that  cannot  be  rolled  back 
thus  implying  the  state  integrity  property  we  prove.  However,  this 
proof  assumes  that  the  service  being  protected  is  a  constant  action 
with  no  effects.  Consequently,  they  do  not  need  to  reason  about 
the  service  program  being  changed  or  causing  unsafe  effects.  Our 
proofs  assume  a  more  realistic  model  requiring  that  the  identity  of 
the  service  be  proven  and  that  the  effects  of  the  service  be  analyzed 
based  on  the  sandbox  provided  by  the  TPM. 

8.  Conclusion 

System  M  is  a  program  logic  for  proving  safety  properties  of  pro¬ 
grams  that  may  execute  adversary-supplied  code  with  some  pre¬ 
cautions.  System  M  generalizes  Hoare  Type  Theory  with  invariant 
assertions,  and  adds  two  novel  typing  rules — Eq  and  CONFINE — 
that  allow  typing  adversarial  code  using  reasoning  in  the  assertion 
logic  and  assumptions  about  the  code’s  sandbox,  respectively.  We 
prove  soundness  and  robust  safety  relative  to  a  step-indexed,  trace 
model  of  computations.  Going  further,  we  would  like  to  build  tools 
for  proof  verification  and  automatic  deduction  in  System  M. 
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cr  >  (t;  A;  lete(ei,  X.C2))  cr  >  (<,;  X.C2  >  if;  e  1} 


R-SeqEI 


e  e 

a  >  ( t;  if;  e )  <-¥p  a  >  («.;  if;  e) 


R-SeqE2 


cr  >  (t;  X.C2  ::  if;  comp(ci)}  ^A  cr  >  (1;  X.C2  ::  if;  ci) 


R-SeqE3 


cr  >  (t;  K;  letc(ci,  X.C2))  A  cr  >  (<,;  *.C2  ::  if;  Ci) 


R-SeqC 


a  >  <(.;  if;  (fix/(*).c)  e) 

A  cr  >  (<,;  A';  c[Az.comp(f  ix(/(x).c)  ,?)//] [e/*]) 


R-FIX 


A.  Term  Language  and  Operational  Semantics 

Syntax 


Base  values 

bv 

tt  |  ff  |  l  1 1 1  n 

Expressions 

e 

1 

x  |  bv  |  \x.e  |  AX.e 
ei  e2  |  e  •  comp(c) 

Actions 

a 

A  |  a  e  |  a  • 

Computations 

c 

1 

act(o)  |  ret(e)  |  fix  f(x).c  \  c  e 
letc(ci,  X.C2)  lete(ei,  X.C2) 
ci;  C2  |  ei;  C2 

if  e  then  Ci  else  C2 

Expr  types 

T 

:= 

A'  |  b  |  IIa;:ri.T2  |  VA'.r  |  comp(?7c)  |  any 

Comp  types 

V 

:= 

x:r.p  |  p  |  (x:r.p,  tp') 

Closed  c  types 

Vc 

f 

Ul.U2.i.(x:T.ifil,<fi2) 
Hx:T.Ul.U2.i.(y.T.<fil,  pf) 

Assertions 

P 

n 

P  ei  =  e2  |  p  e  |  T  |  _L  j  -up 
pi  A  ^2  |  pi  V  p>2  |  Mx:r.p  \  3x:r.p 

Action  Kinds 

a  : 

:  = 

Act(?7c)  |  IIa::r.a  |  MX. a 

Type  var  ctx 

0  : 

:= 

■  |  @,X 

Signatures 

E  : 

:= 

■  |  E,  A  ::  a 

Logic  var  ctx 

VL  : 

:= 

•  |  FL ,  a;  :  b  |  F1, ,  x  :  any 

Typing  ctx 

r  : 

:  = 

•  j  F,  as  :  r 

Formula  ctx 

A  : 

:= 

•  A,V3 

Exec  ctx 

H  : 

:= 

Ub  :  b,  ue  :  b, i  :  b 

CaC' 

(7  >  T  cr'  >  T' 

C7  >  T,  Ti, . . .  ,T„  -a  cr'  >  T',Ti,  ...,Tn 

B.  Well-formedness  Judgments 

Well-formedness  judgments  for  contexts  and  types 

I  ©  b  S  ok  I 


0  I-  E  ok  0;S;  b  q  ok 


0  h  ■ 

ok 

0  b  E,  A  ::  a  ok 

0;  E  b  r  ok  0;E;F  b  r  ok 

©;E  b  Fok 

0  h  E  ok 

0;  E  b  ■ 

ok 

0;  E  b  r,  x  :  t  ok 

©;  E;  r  h  A  ok 

0;  Eh  Fok  0;S;ri-Aok  F  h  p  ok 

0;  S;  r  h  ■  ok  0;  E,  F  h  A,  p  ok 


Beta  reductions  We  define  the  /3-reduction  rules  below. 


e  -A0  e 


ei  -A/s  ei 

( \x.e)e2  — >p  e[e2/x\  AX.e-  —¥p  e  ei  e2  — >p  e!\  e2 

ei  — b/3  ei 
ei  •  -A^  ei  • 


a  >  T  A  cr'  t>  T' 


next(cr,  a)  =  (cr',e)  e  yb  stuck 
cr  >  ((,;  x.C  ::  A';  act(a))  A  cr'  >  (t;  if;  c[e/x]} 

next(cr,  a)  =  (cr',  stuck) 


R-ActS 


cr  >  (t;  *.c  ::  A';  act(a))  A  a'  >  (t;  stuck) 

- 7 - — - 7 - 7Y  R-STUCK 

a  >  (c;  stuck)  A  a  >  (t;  stuck) 


R-ActF 


cr  >  (t;  x.C  ::  A';  ret(e))  A  cr  >  (<,;  A';  c[e/x\) 


R-Ret 


r  h  <pok 

r  h  p  ok  fv(e)  G  dom(r) 
rbPok  Y  \~  p  e  ok 

r  i-  <pi  ok  r  1-  v?2  ok 

r  I-  T  ok  r  I-  _L  ok  r  h  <751  A  v?2  ok 

r  1-  pi  ok  r  i-  p2  ok 

r  b  pi  V  P2  ok 

r  h  ok  t  —  b  or  any  F,  a;  :  r  h  ok 

r  I - 1  ip  ok  r  b  Mx:r.p  ok 

r  =  b  or  any  r,  x  :  r  b  p  ok 
T  h  3 x'.T.p  ok 

fv(ei)  U  fv(e2)  C  dom(F) 

T  h  e\  =  e2  ok 
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0;  E;  T  b  r  ok 


X  G  0  0;  E  h  T  ok 

0;  E;  F  b  X  ok 


m;  0;  E;  rL;  T;  A  b  e  :  r 

0;  E;  tt,  rL;  r  h  A  ok  x  :  r  G  T 

— - — — - - - -  E-VAR 

u\  0;  E;  r  ;  T;  A  b  x  :  r 


0;  E;  T  b  n  ok  0;  E;  T,  x  :  n  b  T2  ok 
0;  E;  T  b  nx:n.T2  ok 


0;E;rt,«,rhAok  fv(e)Cdom(F) 

- - - f - Un 

u;0;E;r  ;T;  A  be:  any 


0;  E;  F  b  r/c  ok 
0;  E;  r  b  comp(r;c)  ok 

0,  A';  E;  T  h  r  ok 
0;  E;  F  b  VX.r  ok 


0;E  b  T  ok 
0;  E;  T  b  b  ok 

0;E  b  Tok 
0;  E;  r  b  any  ok 


0;  S;  T  b  a  ok 


0;  E;  r  b  ?;c  ok 
0;  E;  r  b  Act (r/c)  ok 


0;  E;  r  b  r  ok  0;  E;  T,  x  :  r  b  a  ok 
0;  E;  r  b  II x:T.a  ok 


0,  X;  E;  r  b  a  ok 
0;  E;  r  b  VX.a  ok 


0;  E;  r  b  r/c  ok 


©jE^^.w^N  A  ok 

- — , - E-BaseVal 

m;  0;  E;  rL;  T;  A  b  bv  :  b 

0;S;rL,u,r  b  n  ok 

u;  0;  E;  F^  F,i  :  n;  A  bg  e  :  T2 

- f -  E-Fui' 

w;  0;  E;  F  ;  T;  A  bg  Ax.e  :  Hx:ti.T2 

m;  0;  E;  Tl;  T;  A  Fq  ei  :  FIx:ti.T2 

m;  0;  E;  TL:  T;  A  b(j  e2  :  n 

_ H-Api 

u\  0;  E;  rL;  F;  A  Fq  ei  e2  :  T2[e2/x] 

tt^^iSirViAbg  e  :  r 

- — — f — - - - -  E-TFun 

u;  0;  E;  rL;  F;  A  bQ  AX.e  :  VX.r 

u;  0;  E;  rL;  F;  A  Fq  e  :  VX.n 
©jEjr^.w.r  b  r  ok 

_ : _ : _ : _ : _  E-TAPP 

u\  0;  S;  rL;  F;  A  Fq  e  •  :  n[r/X] 


0;  E;  F,  ui:b,  U2:b,  i: b  b  r  ok 

T,  Wi:b,  M2:b,  i: b,  x  :  r  b  p\  ok  F,  Mi:b,  «2:b,  i: b  b  < p2  ok 
0;  E;  T  b  ui.u2.i.(x:T.ipi,<p2)  ok 

0;  E;  T  b  t  ok  0;  E;  T,  y  :  r  b  ui.v,2-i.(x:Ti.<pi,  <p2)  ok 
0;  E;  T  b  I{y\T.ui.U2.i.(x\Ti.ipi,  ¥>2)  ok 


C.  Typing  Rules 

Typing  for  simple  terms 


r  be  e  :  r 


x  :  t  G  T  r,  x  :  n  b  e  :  r2 

Fbx:r  0;Tb  Ax.e:  IIx:ti  .T2 


u;  0;  S;  rL;  F;  A  \-q  e  :  r 
0;  E;  rL,  w;  T;  A  b  e  =  e  true  fv(e/)  C  dom(F) 

«;e;E;r1;r;Abge':r 

ip  is  trace  composable 

Ub,  Me,  i;  0;  E;  VL,  u;  F;  A  b  ip  silent 
Ub'-b,  we:b,  i:b  b  ip  ok  fa(e)  =  0  fv(e)  C  F 

confine  (r)  ( Ub-Ue.i.<p )  confine  (F)  (iib-Ue-i.tp) 

- -r - Confine 

m;  0;  E;  F  ;  T;  A  b Ub.ue.i.v  e  :  r 

u;  0;  E;  VL-  T;  A  b  e  :  r  U[,:b,  ue:b,  i:b  b  <p  ok 

- - - -  Conf-sub 

w;  0;  E;  T  ;  F;  A  \~Ub.Ue.i ,v  e  :  r 


r  b  ei  :  nx:n.T2  T  b  e2  :  ri 
T  b  ei  e2  :  r2 


r  b  e  :  any 


Confine  relation 


confine  ( b )  ( Ub-Ue.i.ip ) 


Mi,  m2,  i;  0;  E;  rL;  we,  F;  A,  Mi  >  w e  Fq  c  :  (x:r.y>i,  v?2) 
0;  E;  rL,  ue:b,  ui:b,  U2:b,  i:b;  T,  x  :  r;  A  b  pi  =$•  p'i  true 
0;  S;  rL,  ue:b,  Mi:b,  U2:b,  i:b;  F;  A  b  ip2  =b  ip'2  true 
0;  S;  rL,  Me:b;  T  b  ui.U2-i.(x:T.ip'1 ,  ip'2)  ok 
fv(c)  C  dom(F) 

ue;  0;  S;  rL;  T;  A  Fq  comp(c)  :  comp(Mi.M2i.(x:r.v?'i,  <p'2)) 


confine  (n)  (ub.u e-i.ip)  confine  (t2)  ( Ub-Ue.i.ip ) 
confine  (II_:ti.T2)  ( Ub-Ue.i.<p ) 

confine  (r)  (ub-ue-i.ip) 

confine  (comp(n,b-Ue-i.(x:T.<p,  <p)))  (ub-ue-i.ip) 

Typing  rules  for  expressions 


Typing  rules  for  silent  threads 

E;  0;  E;  FL;  T;  A  b  95  silent 

0;  E;  T1";  E,  T;  A  b  ip  true  rL,  S,  T  b  ok 

- f - Silent 

2;  0;  E;  T  ,  T;  A  h  cp  silent 

Typing  rules  for  actions 
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u  :  b;  ©;  E;  TL;  T;  A  Kq  a  ::  a 


0;  E;  TL ,  u  :  b;  T  h  A  ok  A  ::  a  £  E 
u  :  b;  0;  E;  FL;  T;  A  h  A  ::  a 

u  :  b;  0;  E;  F^;  T;  A  \-q  a  ::  Ylx-.r.a 
M  :  b;  0;  E;  FL;  F;  A  Fq  e  :  r 
u  :  b;  0;  E;  rL;  F;  A  Fq  a  e  ::  a[e/x\ 

u  :  b;0;S;ri;F;  A  Fq  a  ::  VX.a 
0;  E;  r L ,  m  :  b,  T  h  t  ok 
u  :  b;  0;  E;  F;  A  Fq  a  ■  ::  a[r/X] 


i  £  [1,  2],  0;  E;  FL;  T;  A  F  ;pi  A  <p2  true 

- f -  AE 

0;  E;  F  ;  T;  A  F  pi  true 

i  £  [1,  2],  0;  E;  T1';  T;  Ah  pi  true 
0;  E;  FL;  F;  A  h  <pi  V  <p2  true 

0;  E;  rL;  T;  A  h  ipi  V  <p2  true 
0;  S;  r1";  F;  A,  ipi,  T7  h  p  true 

0;  E;  T1";  F;  A,  ip2,  F'  h  p  true 

- 7 - ~ - - - -  VE 

0;  E;  rL;  F;  A,  T  h  p  true 

0;  S;  FL,  a;  :  r;F;A  h  p  true 

- ■ — f - - - - - VI 

0;  E;  rL;  T;  A  h  \/x:r.p  true 

0;  E;  T1';  T;  A  h  Vx-.r.p  true  FL  h  t  :  r 

- — - 7 - - - VE 

0;  E;  T  ;  T;  A  F  p[t/x]  true 

0;  E;  T1";  T;  A  h  p[t/x\  true  TL  h  t  :  r 
0;  E;  FL;  T;  A  h  3 x:r.p  true 


0;  E;  rL;  F;  A  F  3 x:r.p  true 
0;  E;  rL,  a:r;  T;  A,  <p[a/x\  h  p  true  a  ^  fv(p') 
0;  S;  r1";  T;  A  h  p  true 


Logical  reasoning  rules 


0;  E;  rL;  F;  A  h  p  true 


Typing  rules  for  computations  We  summarize  the  typing  rules 
for  computations  in  Figures  8  and  9. 

D.  Semantics 

Semantics  for  invariant  properties  Next  we  define  a  logical  rela¬ 
tion  indexed  only  by  an  invariant  property  Ub.ue.i.p. 


Mi,  lt2,  v,  0;  S;  rL;  •;  A  h  c  :  <p 
0;  E;  F^;  •;  A  F  start(7,  c,  u)  true 
0;  S  h  T^ok 

0;  E;  rL;  T;  A  h  \/u  :b.(u'>u)  =>  ip[u,  u  ,  I/ui,  112,  i]  true 


Honest 


lZVmvlub.ue.i.pjr-,u  ={(fc,nf)|  nf  Xx.e,  AX.e,  comp(c)} 
U{(/c,  comp(c))  |  (k,  c)  £  TZCmvlub-ue.i.pjr-,u} 

U{(/c,  Xx.e1)  |  Vj,  u' ,j  <  k,  u'  >  u 

{j,e')  £  1Z£lNv\Ub-Ue-i.ip\T-,u' 

=V  {j,e[e' /x\)  £  IZEmvlub.Ue.i.ipjTiu.1} 

U  {(k,Ax.e)  |  Wj,  j  <  k  =7  (j,  e)  £  H£mvlub.ue.i.tp]r-,u} 

TZ£  mvlUb-Ue-i.pl  T;u= 

{ (k,  e)  |V0  <  m  <  k,  e  — >m  e ' 

=V  (n  -  m,  e ')  £  TZVmvlub-Ue-i-pjT-,u} 


©jEsr^jrjAi  h  iptrue 

0;  E;  Yl-,  F;  Ai,  p,  Ao  h  p  true 

- 1 - ; -  CuT 

0;  E;  r  ,  T;  Ai,  A2  h  p  true 

0;  S;  VL ,  T  h  A  ok  p  £  A 

- -  Init 

0;  E;  rL;  T;  A  h  p  true 

0;S;rI';r;A1,y,A2  h  ■ 

0;  E;  rL;  F;  Ai,  A2  I - up  true 

0;E;rl;r;Ah  -up  true 

0;  E;  rL;  T;  A  h  p\  true  0;  E;  TL-,  F;  A  F  <p2  true 
0;  E;  r;  A  F  (pi  A  <p2  true 


HCiNv\ub-Ue-i.p\Tiu  =  {{k,c)  | 

Vmb,  Mb,  t,  m  <  u b  <  Ms,  let  7  =  [mb,  mb,  t/ui,  M2,  t], 

jb  is  the  length  of  the  trace  from  time  mb  to  the  end  of  T, 
je  is  the  length  of  the  trace  from  time  mb  to  the  end  of  T 

k>  jb>  je, 

the  configuration  at  time  mb  is  — -4  07  >  •  •  •  ,  (t;  x.c1  ::  K;c)  ■  ■  ■ 
between  u b  and  mb  (inclusive),  the  stack  of  thread  i  always 
contains  prefix  x.c' .\K 

=>T  he  ip}n 

{( k ,  c)  |  Vmb,  mb,  t,  m  <  mb  <  mb, 

let  7  =  [MB,MB,t/Ml,M2,i], 

jb  is  the  length  of  the  trace  from  time  mb  to  the  end  of  T 
je  is  the  length  of  the  trace  from  time  mb  to  the  end  of  T 

k  >  jb  >  je, 

the  configuration  at  time  Mi  is  —^-7  07  >  •  •  •  ,  (t;  x.c'  ::  K;  c)  ■  ■  ■ 
the  configuration  at  time  mb  is  -^4-  ae  t>  ■  ■  ■  ,  (t;  K;  c'[e' /x\)  ■  ■  ■ 
between  mb  and  mb,  the  stack  of  thread  i  always  contains  x.c'v.K 
=>  ( je,e ')  £  TZ£iNv\ub.Ue.i.p\T-,uE  and  The  p[e' /x]} 
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Fixpoint  uibjQjEjr^rjAI-Qc:.? 


Fi  =  y  :  r,  f  :  Uy:r.comp(ui.U3-i.(x:Ti.p,  ip')) 

Mi  :  b,  U2  :  b,  i  :  b;  0;  E;  FL;  T;  A,  M  <  Mi  <  M2  F  ipo  silent 

U2,U3,  i;  0;  E;  Fl,ui  :  b,  u  :  b;  T,  Ti;  A,  M2  <  U3,  po  Fg  c  :  x\Ti.p  1 

u2,u3,i ;  0;  E;  rL;Mi  :  b,  m  :  b;  F,  Fi;  A,  u2  <  u3,  <po  Fg  c  :  p2 

0;  E;  rL,  mi  :  b,  u  :  b,  U2  :  b,  113  :  b,  *  :  b;  T,  Ti,  x  :  n;  A  F  (po  A  pi)  =>  ip  true 

0;  E;  rL,  Mi  :  b,  M2  :  b,  M3  :  b,  i  :  b,  u  :  b;  T,  Ti;  A  F  (ipo  A  p2  =>  p)  true 

0;  S;  rL ,  Mi  :  b,  M3  :  b,  i  :  b,  u  :  b;  T,  y  :  r ;  A  h  <po[v,3 /u2]  =>  <p  true 

0;  S;  rL,  M  :  b;  T  h  ni/:T.Mi.M3.i.(x:Ti.v2,  p)  ok  fv(fi x(f(y).c))  €  dom(r) 


m;  0;  S;  rL;  T;  A  hg  fix(/(y).c)  :  Uy:r.ui.u3.i.(x:Ti.p,  p') 


Fix 


Partial  correctness  typing 


S;0;S;rl;r;Ah  Q  c  :  77 


Mi  :  b;  0;  S;  FL,  M2  :  b,  i  :  b;  F;  A  hg  c  :  Yly:T.Ub-Ue.j.(x:T' .p,  p)  Mi  :  b;  0;  E;  rL,  M2  :  b,  i  :  b;  T;  A  \~q  e  :  r 
fv(c  e)  C  dom(r)  let  7  =  [mi,  m2,  i/ub,  ue,  j]  0;  E;  rL,r  H  u1.u2.i.((x:t' .p)^[e/y\,p'y[e/y])  ok 

Mi  :  b,M2  :  b,i  :  b;  0;  E;  F^;  T;  A  hQ  c  e  :  ((x:Tj.pj)[e/y],  p'y[e/y]) 


App 


Mi  :  b;  0;  E;  FL,  u2  :  b,  i  :  b;  F;  A  Fq  a  ::  kct(v,b-Ue.j.(x:T.pi,  p2))  Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  F;  A  h  p  silent 
fv(a)  G  dom(r)  0;S;rL;r  h  ui.u2.i.(x:r.pi  [mi,  M2,  i/ub,  ue,  j],  P2[u\,  u2,  i/ut,  ue,  j]  A  p)  ok 

Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  T;  A  \-q  act  (a)  :  (x\T.p\[ui,u2,i/ub,  ue,j],p2[ui,U2,i/ub,  ue,j ]  A  p) 

Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  M3  :  b;  F;  A,  Mo  <  iti  h  po  silent 
Mi  :  b;  0;  S;  VL ,  Mo  :  b,  M3  :  b,  i  :  b;  F;  A,  i^o  Fq  ei  :  comp(M6,  ue,  j.(x:r.pi,  p[)) 
let  7  =  [u\,U2,i/ub,ue,j] 

M2  :  b,  M3  :  b,  i  :  b:  0;  E;  VL ,  Mo  :  b,  Mi  :  b;  F,  x  :  T7;  A,  M2  <  M3,  potPi'i  Fg  C2  :  y.r  .p 2 
0;  E;  F^mo  :  b,  M3  :  b,  i  :  b;  T,  Mi:b,  M2:b,  x-.T-y,  y  :  r  \  A  F  (po  A  ^17  A  P2)  =>  p  true 
fv(lete(ei,  X.C2))  C  dom(F)  0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T,  y  :  t  F  p  ok 


Act 


Mo  :  b,M3  :  b ,i  :  b;  0;  E;  rL;  F;  A  Fg  lete(ei,  X.C2)  :  y.T  .p 

Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  rL;  M3  :  b,  F;  A,  Mo  <  Mi  F  po  silent 

Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  F  ,  Mo  :  b,  M3  :  b;  F;  A,  Ui  <  u2,po\~Q  C\  :  X’.r.p  1 

M2  :  b,  M3  :  b,  i  :  b;  0;  E;  rL,  Mo  :  b,  Mi  :  b;  F,  x  :  r;  A,  M2  <  M3,  po,pi  Fg  C2  :  y.T  .p 2 

0;  E;  rL,Mi:b,  M2ib,  Mo  :  b,  M3  :  b,  i  :  b;  T,  x:r,  y.  t  \  Ah  (p0  A  p\  A  P2)  =>  p  true 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T,  y  :  t  F  p  ok  fv(letc(ci,  X.C2))  C  dom(r) 

Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  VL;  T;  A  Fg  letc(ci,x.c2)  :  y.T  .p 


SeqE 


SeqC 


M2:b;0;E;r,Mi:b,i:b;F;AI-ge:T  Mi:b,M2:b,i:b;0;E;rI';r;AFyi  silent  fv(e)  C  dom(F) 
Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  T1";  F;  A  Fg  ret(e)  :  x:t.((x  =  e)  A  p) 


Ret 


Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  T  ,  M2  :  b;  T;  A,  Mo  <  Mi  F  po  silent 

Mo  :  b;  0;  E;  YL ,  u2  :  b,  i  :  b;  F;  A  hg  e  :  b  Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  VL ,  Mo  :  b;  T;  A,  Mi  <  u2,po,  (eval  ett)  Fg  ci  :  x\T.p  1 

Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  FL,  Mo  :  b;  T;  A,  Mi  <  M2,  po,  (eval  eff)  Fg  C2  :  X’.T.p 2 

0;  E;  TL ,  Mo  :  b,  u2  :  b,  i  :  b;  F,  Mi  :b,i:r;AF  (p0  A  pi)  =>  p  where  i  £  [1,  2] 

0;  E;  VL ,  Mo  :  b,  u2  :  b,  i  :  b;  F,  *  :  t  F  p  ok  f  v(e)  U  fv(ci)  U  fv(c2)  C  dom(F) 

Mo  :b,M2  :b,i:b;0;E;ri;F;AI-g  ife  then  Ci  else  C2  :  x:r.p 

Figure  8.  Computation  typing  rules  (1) 


If 
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Invariant  typing  E;  0;  E;  rL;  T;  A  Hq  c  :  77 


0;  E;  VL ,Uo  :  b,  M3  :  b,  %  :  b;  T;  A  b  ip  ok 

M0  :  b,  Mi  :  b,  i  :  b;  0;  E;  rL,  M3  :  b;  T;  A,  Mo  <  Mi  b  ip0  silent  Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  FL-,  T;  A,  Mo  <  M3  b  p0  silent 

Mi  :  b;  0;  E;  YL ,  Mo  :  b,  M3  :  b,  i  :  b;T;  A,  720  b  q  e\  :  comp(Mb,  ue,  j.(x:T.tpi,  ipi)) 

M2  :  b,  M3  :  b,  i  :  b;0;E;FL,Mo  :  b;T;  A, Mi  :  b,  x  :  r;  Mi  <  M2  <  M3,  720,  721  [mi,  M2,  i/ub,  Me,  j]  bQ  C2  :  722 
0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T;  A  b  ip'0  =7-  72  true 

0;  E;  rL,  Mo  :  b,M3  :  b,  i  :  b;F,Mi:b;  A  b  720  A  <^i[Mi,  M3,  i/ub,  ue,  j]  =>  72  true 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  F,  Mi:b,  M2:b,  <e:t;  A  b  (720  A  721  [mi,  M2,  i/ub,  ue,  j]  A  722)  =$■  72  true 

fv(lete(ei,*.C2))  C  dom(F) 

Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  TL-,  T;  A  \~q  lete(ei,  X.C2)  :  72 


SeqEI 


0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  F;  A  b  72  ok 

Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  FL,  M3  :  b;  T;  A,  Mo  <  Mi  b  720  silent  Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  T1";  F;  A,  Mo  <  M3  b  ip'0  silent 

Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  TL,  Mo  :  b,  M3  :  b;  T;  A,  Mi  <  M2,  720  b q  c  1  :  x:T.ipi 

Mi  :  b,  M3  :  b,  i  :  b;  0;  E;  FL;  F;  A,  Mo  :  b,  Mi  <  M3,  tpo  \~q  c  1  :  <p\ 

m2  :  b,  m3  :  b,  i  :  b;  0;  E;  FL;  F;  A,  M0  :  b,  Mi  :  b,  x  :  T,  m2  <  m3,  720,  721  \~q  c2  :  722 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  F;  A  b  ip'0  =>  ip  true 

0;  E;  YL ,  Mo  :  b,  M3  :  b,  i  :  b;  F,  Mi:b;  A  b  (tp0  A  1721)  =>  72  true 

0;  E;  YL ,  Mo  :  b,  M3  :  b,  i  :  b;  T,  Mi:b,  M2:b,  *:r;  A  b  (750  A  721  A  722)  =7-  72  true  fv(letc(ci,  X.C2))  C  dom(r) 

Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  FL;  T;  A  bQ  letc(ci,  X.C2)  :  72 


SeqCI 


f  v(e)  C  dom(F)  Mi  :b,M2  :b,i:b;0;E;F;F;Ab72  silent 
Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  rL;  T;  A  b q  ret(e)  :  72 


RetI 


0;  E;  Yl,  mo  :  b,M2  :  b,i  :  b;F;  Abg  e  :  b 

Mo  :  b,  M2  :  b,  j  :  b;  0;  E;  FL;  F;  A,  Mi  <  M2  b  750  silent  Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  YL ,  M2  :  b;  F;  A,  Mo  <  Mi  b  720  silent 
Mi  :  b,  M2  :  b,  *  :  b;  0;  E;  FL,  Mo  :  b;  T;  A,  Mi  <  M2, 720,  (eval  ett)  bQ  ci  :  721 

Mi  :  b,  m2  :  b,  i  :  b;  0;  E;  Fl,m0  :  b;  T;  A,  Mi  <  m2,  720,  (eval  eff)  bQ  c2  :  722  0;  E;  F^,  m0  :  b,  m2  :  b,  i  :  b;  T;  A  b  720  =7  72 

0;  E;  YL ,  Mo  :  b,  M2  :  b,  i  :  b;  T,  Mi  :  b;  A  b  (720  A  p>i)  =>72  0;  E;  rL,  Mo  :  b,  M2  :  b,  i  :  b;  T,  Mi  :  b;  A  b  (720  A  722)  =7  72 

0;  E;  rL,  Mo  :  b,  M2  :  b,  j  :  b;  F;  A  b  72  ok  fv(e)  U  fv(ci)  U  fv(c2)  C  dom(F) 

Mo  :  b,  M2  :  b,  i  :  b;  0;  E;  T17;  T ;  A  bQ  if  e  then  Ci  else  C2  :  72 


IfI 


Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  T  ;  T;  A,  721  bQ  c  :  722 
Mi  :  b,  m2  :  b,  i  :  b;  0;  E;  FL;  T;  A  bQ  c  :  721  =7  722 


ImpI 


Misc 


k  G  [1,2]  Mi,m2,*;0;E;F  ;F;  A  bQ  c  :  (771,772) 

Mi,M2,7;0;E;rL;r;  A  bQ  c  :  rjk 


Pair 


Mi,M2,*;0;S;r  ;T;  A  bQ  c  :  x:r.ipi  Mi,  M2,  *;  0;  S;  T  ;  T;  A  bQ  c  :  722 
Mi,  M2,  i;  0;  S;  rL;  F;  A  b q  c  :  (x:r.<pi,  722) 


Proj 


0;  E;  T  ,  S;  F;  Ai  b  72  true  0;  E;  F  ;  F;  Ai,  72,  A2  bQ  c  :  77 

H;0;E;ri;r;Ai,  A2  bQ  c  :  77 


CutC 


Figure  9.  Computation  typing  (2) 
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Mo  :  b,  «2  :  b,  i  '■  b;  0;  E;  T1",  U3  :  b;  ■;  A,  Mo  <  Mi  <  M2  Po  silent 

Mi  :  b;  0;  E;  rL,  Mo  :  b,  M2  :  b,  M3  :  b,  i  :  b;  •;  p 0  hqi  ei  :  comp(Mb,  ue,j.{x\T.pi,  p[)) 

let  7  =  [ui,U2,i/Ub,Ue,j\ 

M2,  M3,  i;  0;  E;  rL,  mo  :  b,  Mi  :  b;  •;  A,  M2  <  U3,po,  <£i7  Fq2  C2  :  y.r' .p 2 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T,  Mi:b,  M2:b,  y  :  t  \  A  h  (po  A  777  A  <£>2)  =>  p  true 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b,  T,  y  :  t'  h  p  ok 

- j - - -  SeqEComp 

Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  F  ;F;  A  Hq2  (ei;c2)  :  y.r  .p 

Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  rL,  M3  :  b;  ■;  A,  Mo  <  Mi  h  p 0  silent 
Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  rL,  Mo  :  b,  M3  :  b;  •;  po  Fq  Ci  :  X'.T.p  1 
M2  :  b,  M3  :  b,  i  :  b;  0;  E;  VL- Mo  :  b,  Mi  :  b,  ■;  A,  M2  <  M3,  po,  Pi  F Q2  C2  :  y.r'  .p2 

0;  E;  Tl-uo  :  b,  M3  :  b,  i  :  b;  •,  Mi:b,  M2:b,  y  \  t  \  Ah  (po  A^iA  P2)  =>  p  true 

0;  E;  VL-,  Mo  :  b,  M3  :  b,  i  :  b,  r,  y  :  r  F  p  ok 

- L - - -  SeqCComp 

M0  :  b,  m3  :  b,  i  :  b;  0;  E;  V  ;  T;  A  Fq2  (ci;c2)  :  y.T  .p 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T;  A  F  p  ok  Mo  :  b,  M2  :  b,  i  :  b;  0;  E;  VL ,  M3  :  b;  •;  A,  Mo  <  Mi  <  M2  F  po  silent 

Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  rL;  •;  A,  Mo  <  M3  F  p0  silent 

Mi  :  b;  0;  E;  TL,  Mo  :  b,  M2  :  b,  M3  :  b ,i  :  b;  ■;  ipo  F q  ei  :  comp(Mb,  ue,j.(x:r.pi,  p[)) 

M2  :  b,  M3  :  b,j  :  b;  0;  E;  rL,Mo  :  b;  ■;  A,  Mi  :  b;  Mi  <  M2  <U3,po,  Pi  [mi,  M2,  i/ub,  Me,  j]  \~q  C2  :  P2 
0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T;  A  F  p0  =7  p  true 

0;  E;  rL,M0  :  b,  M3  :  b,i  :  b;  T,  Mi:b;  A  F  p0  A  ipi[Mi,  M3 ,i/ub,ue,j]  =>  p  true 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T,  «i:b,  M2:b;  A  F  (po  A  pi\ui.  M2,  i/Mb,  Me ,  t'l  A  P2 )  =>  v3  true 

- = -  SeqEIComp 

Mo  :  b,M3  :  b,i  :  b;0;E;T  ;F;  A  F q  (ei;C2)  :  p 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  F;  A  F  p  ok  Mo  :  b,  Mi  :  b,  i  :  b;  0;  E;  T1",  M3  :  b;  ■;  A,  Mo  <  Mi  F  <p0  silent 
Mo  :  b,  M3  :  b,  i  :  b;  0;  E;  I’1']  •;  A,  Mo  <  M3  F  p'0  silent 

Mi  :  b,  M2  :  b,  i  :  b;  0;  E;  rL,  Mo  :  b,  M3  :  b;  •;  po  Fq  Ci  :  x:r.p  1 

Mi  :  b,  M3  :  b,  i  :  b;  0;  E;  T1';  •;  A,  Mo  :  b,  Mi  <  M3,  po  Fq  Ci  :  p\ 

U2  :  b,  M3  :  b,  i  :  b;  0;  E;  T1';  •;  A,  Mo  :  b,  Mi  :  b,  x  :  r,  M2  <  M3,  po,Pi  I Fq  C2  :  P2 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  F;  A  F  p0  =>  ip  true 

0;  E;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  F,  Mi:b;  A  h  (p0  A  p  true 

0;  S;  rL,  Mo  :  b,  M3  :  b,  i  :  b;  T,  Mi:b,  M2:b;  A  h  (po  A  pi  A  P2)  =7  p  true 

- L -  SeqCIComp 

Mo  :  b,  M3  :  b,  i  :  b;0;E;T  ;F;  A  hq  (ci;C2)  :  p 


Figure  10.  Sequential  composition 


1ZJ-  lNv\Ub-Ue.i.p\r\u.  = 

{(ft,  c)  |  Ve,  (ft,  e)  e  7l£/m4Mj,.Me.*.v5]r;u  => 

(ft,  c  e)  G  7?.C/ivv[Mi,.Mei.y>]r;«} 

Semantics  for  invariant  indexed  types  Figure  1 1  summaries  the 
interpretation  of  types  indexed  by  the  invariant  property  Ub-Ue.i.p. 
The  invariant  property  is  used  to  constrain  the  behavior  of  expres¬ 
sions  that  evaluate  to  normal  forms  that  do  not  agree  with  their 
types. 

'RC(ub.ue.i.pi)\x\T.p\e-,T-,u1,u2,i  =  {(ft,c)  | 

jb  is  the  length  of  the  trace  from  time  ui  to  the  end  of  T 
je  is  the  length  of  the  trace  from  time  M2  to  the  end  of  T 

ft  >  jb>  je, 

the  configuration  at  time  Mi  is  — 07  t>  •  •  •  ,  {(,;  x.c'  ::  K\  c)  ■  ■  ■ 
the  configuration  at  time  112  is  -^4  cre  >  •  •  •  ,  (<,;  A';  c[e' /x\)  ■  ■  ■ 
between  tri  and  M2,  the  stack  of  thread  i  always  contains  x.c'wK 
=7  Oe,e')  £  TZ£ (Ub-Ue.i.pi)lTjg-T;u2 
and  T  h  p[e' /x]} 

^C(_)MkT;ui,u2,»  =  {(ft>c) 

jb  is  the  length  of  the  trace  from  time  Mi  to  the  end  of  T, 


je  is  the  length  of  the  trace  from  time  M2  to  the  end  of  T 

ft  >  jb>  je, 

the  configuration  at  time  ui  is  —4  <77  >  •  •  •  ,  (t;  x.c'  ::  K\  c)  •  •  • 
between  Mi  and  M2  (inclusive),  the  stack  of  thread  i  always 
contains  prefix  x.c'wK 

=>T\=p} 

TZ J-(ub-Ue-i.pi)plx:T.ui.U2-i. (y.T1  .p,  p')}e-T-u  = 

{(ft,  c)  |  Ve,  Vm;,  mb,  mb,  i,u  <  u'  <  ub  <  mb, 
let  7  =  [mb  ,  mb  ,  t/Mi ,  M2 ,  i] 

(ft,  e)  G  ft£(Mi,.Me.i.¥>i)[T7]e;r;u'  =7 

(ft,  c  e)  G  7lC(M6.Mei.(pi)[(t/:r,7.v37)[e/a:]]e;r;«B,uE,t 

n^C()[</7[e/x]kT;UB,<*E,J 

A-4(Mi,.Mei.v3)[Act(Mi.M2i.(a;:r.(pi,  v?2))]s;t;u  = 

{(ft,  o)  |  Vmb,  Mb,  t,  m  <  Mb  <  mb, 
let  7  =  [mb,  mb,  i/mi,  M2,  i] 

(ft,  act(a))  G  (7?.C(Mb.Mei.(p)[a::r7.(pi7]  6;1~-,u-,ub  ,ue  ,l 
fYR'C 1^2^!  0]'T -jU-jU B  ,u e 

TZA(ub.Ue.i.p)plx:T.aje;T-u  = 

{(ft,  a)  |  MejJu'  ,,u'  >  u,  (ft,  e)  G  1Z£  (ub.Ue-i.p)lrjg.T;ui 


18 


2014/7/22 


1lV(ub.Ue.i.(p)lany]g;T-,v.  =  {(k, nf)  |  k  £  N} 

nv(v,b.ue.i.ip)ix}0;T-,u  =o(x) 

TZV(ub.ue.i.ip)\b\e.T-u  =  {(k,e)  |  ( k,e )  £  1ZV mv\ub.ue.i.ip\g-rVu} 

1ZV (ub.ue.i.<p)plx:Ti .T2}g-,T;u  =  {(k,  Xx.e)  |  Vj  <  k,Mu'  ,u'  >  u,  Me' ,  (j,  e')  £  lZ£(ub.ue.i.<p){Ti}g;T.tU> 

=>  (j,e \[e’ /x\)  £  7^f(u6.wei.ip)[T2[e7.'E]]fl;r;U'}u 
{(k,  nf)  |  nf  ^  Xx.e  =>  (fc,  nf)  £  TZ£mv\ub.ue.i.ip\T-,u} 
HV(ub.Ue.i.<p)lVX.T]g;T;v.  =  {(/c,  AX)  |  V?  <  fc,  VC  £  Type  =>■  (j,  e')  £ 

{(k,  nf )  |  nf  AX.e  ==»  (fc,nf)  £  Tl£INvlub.ue.i.ip]T-,u} 
1lV(ub.Ue.i.ip)lcomp(ui.U2.i.(x:T.ipi,  </32))]g;7-;u  = 

{(£;,  comp(c))  |  Vub, mb,  t,  m  <  ub  <  mb, let  7  =  [mb, mb,  i/mi, m2,  f] 

(fc,  c)  £  TZC(ub.ue.i.^)lx:T'y.(piyjg-r-,uB,UE,i.  n  PC(-)[‘m]e;T;uB,'uE,  Ju 
{(/, nf )  |  nf  ^  comp(c)  =7  (fc,  nf)  £  TZ£mvlui.U2-i.ifijT-,u} 

TZ£(ub.ue.i.ip)lrje.T]u  =  {( k ,  e)  |  Vj  <m,e  e!  ( k  -  m ,  e')  £  7?.V(Mi,.Mei.y?)[Ir]l0;r;U} 


Figure  11.  Semantics  for  inv-indexed  types 


(k,  a  e)  £  UA{ub.ue.i.ip)la[e/x\\g.tT.y} 


TZA(ub.ue.i.ip)iyX.aJs-T-,u  = 

{( k,a )  |  Vj  <  fc,VC  £  Type 

=>■  (j,  a  •)  £  7l.4(Mb.Me.i.^)[a]e[x,^c];T;u} 


Formula  semantics 

[any]  =  {e  |  e  is  an  expression} 

[b]  =  {e  j  e  — >*  6m} 

[n:c:ri.r2]  =  {A*.e  |  Ve',e'  £  [n]  =4-  ei[e7®]  £  [r2]} 


TV  P  e 

iff 

-P  e  £  e(T) 

T  h  start)/,  c,  U) 

iff 

thread  /  has  c  as  the  active 

computation  with  an  empty  stack 
at  time  U  on  T 

T  V  Vx\T.(p 

iff 

Ve,  e  £  [r]  implies  T  V  p[e/x\ 

T  h  3 x:r.<p 

iff 

3e,  e  £  [r]  and  T  t=  p[e/x\ 

E.  Lemmas 

Lemma  5  (IZinv  is  downward-closure). 

1.  If(k,c )  £  1ZVinv\$}t-,u  then  \/j<k,  ( j,c )  £  TZVinv\^}t-,u 

2.  If(k,c)  £  TZ£iNv\^}e.T-,u  then\/j<k,  ( j,c )  £  IZ£inv\^\t-,u 

3.  If  (k,  c)  £  izc  /a,v[<I,]t;u  then\/j<k,  ( j,c )  £  IZCmv  Wr;» 
Proof  (sketch):  By  examining  the  definition  of  the  relations.  □ 

Lemma  6  (IZinv  is  closed  under  delay). 

1.  If(k,e)  £  7?.Vwv[$]r;u  thenX/v!>u,  (k,e)  £  7?.V/jvv['f>]r;u/ 

2.  If(k,e)  £  thenMu'>u,  ( k,e )  £  7?.£W[[5>]t;u' 

2.  If  (k,  e)  £  7£C/M/[[<J>]r;„  f6en  Vm'>m,  (fe,  e)  £  PC  wv  fflrx 
Proof  (sketch):  By  examining  the  definitions.  □ 

Lemma  7  (Indexed  types  are  confined),  confine  (r)  (ub.ue.i.p) 
implies 

1.  TZV (ub.Ue.i.p)\T\e-,r-,u  =  PV/jVt/[M6.Mei.y?]e;T;u- 

2.  PC (Mi,.Mei.y5)[r]0;r;u  =  7l5/jvvlMi,.Me.i.V9]r;u. 

3.  for  all  n,  c,  (Vmb,mb,/  s.t.  u  <  mb  <  mb,  ( n,  c )  £ 

72.C(Mb.Me.i.(/5)[r.(p[MB,  Mb,  //Mi,  Me,  *]]s;T;uB,uE,/ 

Pi  P-C  (ub.Vje  .l-p)  [yjfUB,  Mb,  //Mb ,  Me,  f]]@;7~  ;uB  ,tiE ,/) 
iff  (n,  c)  £  7?.C/ivv[M6.Mei.y2]r;u 


Proof.  By  induction  on  r.  2  uses  1  directly,  1  uses  2  when  r  is 
smaller,  3  uses  2  directly,  and  1  uses  3  when  r  is  smaller. 

Proof  of  1 . 


case:  r  =  6.  Follows  directly  from  the  definitions 

case:  r  =  Ila;  :  T1.T2 


By  assumptions 

confine  (n)  (ub.ue.i.<p)  and  confine  (n)  (ub.ue.i.p)  (1) 
Assume 

(n, nf )  £  TZV(ub.u£.i.tp)\Hx  :  n.r2]e;r;«  (2) 

To  show:  (n,  nf)  £  PVWlMb.Me.t.<^]T;u 

We  first  consider  the  case  when  nf  =  Aaxei 

Given  0  <  j  <  n,  v!  >  u  (j,e')  £  IZ£ mvlub.ue.i.ipj'r-ui 

By  I.H.  on  n 

(j,e')  £  lZ£(ub.ue.i.<p) [ti] 0;T ^u> 

By  (2) 

(j,ei[e'/a:])  £  TZ£(ub.ue.i.ip)\T2[e’ /x\\e-T-y  (3) 

By  I.H.  on  T2  and  (3) 

(j,ei[e’ /x\)  £  TZ£iNv[ub.Ue.i.p\T-y  (4) 

By  (4) 

(n,  Ax.ei)  £  PV/jvv/[u{,.Mei.y2]T;« 

Next  we  consider  the  case  where  nf  =  AA'.ei  or  comp(c) 
this  follows  from  the  definition  directly 
Proofs  for  the  other  direction  is  similar 

case:  r  =  comp(ub.ue.i.(x:T.<p,  y?)) 

By  assumption 

confine  (r)  ( ub.ue.i.y. :)  (1) 

Assume 

(n, nf)  £  lZV(ub.ue.i.ip)lcomp(ub.ue.i.(x:T.ip,ip))jg-T-,u  (2) 
To  show  (n,nf)  £  1ZViNv\ub.ue.i.ip\T-,u 

We  show  the  case  when  nf  =  comp(c),  the  other  cases  are  trivial 
By  definitions,  Vmb,  mb,  1,  u  <  mb  <  mb, 
let  7  =  [mb,  Mb,  t/Ub,  Me,  *] 

(n,  c)  £7?.C(Mi).Mei.y5)[a::r7.y?i7]e;r;UB,«E,l 

n7^C(_)[y?27]e;r;uB,«E,t  (3) 

By  I.H.  and  (3) 

(n,  c)  £  TZCmv\ub.ue.i.ip\r:u  (4) 

By  (4) 

(n,nf)  £  IZViNv\ub.ue.i.<p\T;u  (5) 

The  proof  of  the  other  direction  is  similar 

3  is  proven  straightforwardly  by  expanding  the  definitions  of  the 
two  relations. 

□ 


Lemma  8  (Invariant  confinement). 

ip  is  composable.  and  thread  1  is  silent  between  time  ub  and  ue 
implies  TN  <p[ub,ue,  t/ub,ue,i] 

1.  //fa(e)  =  0,  fv(e)  £  dom(7),  (n,  7)  £  IZ£iNv[ub.ue.i.fp\T-,u 
then  (n,e 7)  £  TZ£iNv\ub.ue.i.yi\r-,u 

2.  //fa(c)  =  0,  fv(c)  £  dom(7),  (n,  7)  £  7Z£mvlub.ue.i.ipJr;v, 
then  ( n,C7 )  £  TZCmv[ub.ue.i.ip}T;u 
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3.  //'fa(c)  =  0,  fv(fi xf{x).c)  G  dom(7), 

(n,  7)  G  T££/A7v[M!,.Ue-*-¥>]|r;u 

f/ten  (n,  fix/(*).c7)  G  1ZT 'iNv\ub.ue.i.<p\T-,-u. 

Proof.  By  induction  on  the  structure  of  the  terms.  3  needs  a  sub¬ 
induction  on  n.  We  show  a  few  key  cases. 

Proof  of  1 . 

case:  e  =  ei  e2 


By  I.H. 

(n,  ei7)  G  IZ£iNv\ub.ue.i.p\T-,u  (1) 

(n,  e27)  G  TZ£iNvlub.ue.i.(p]T-,u  (2) 

Assume  (eie2)7  — nf 

ei7  — A  nfi  -e>  (3) 

We  consider  two  cases:  nf  1  —  Xx.e  and  nf  1  Xx.e 
Subcase  nfi  =  Xx.e : 

By  (1) 

(n  -  j,  Xx.e)  G  TZVmv\ub.ue.i.ip\T-,u  (4) 

By  (2)  and  Lemma  5 

(n  —  j—  1,  eii)  G  TZ£iNvlub-ue.i.<p}T-,u  (5) 

By  (4)  and  (5) 

(n  -  j  -  1,  e[e27/x])  G  'R£iNvlub-ue.i.tp\T\u  (6) 

By  (6) 

(n,  (eie2)7)  G  'R£iNv\ub-ue.i.ipiT\u  (7) 

Subcase  nfi  Xx.e: 

(eie2)7  ->m  nfi(e27)  (8) 

By  definitions 

(n,  (eie2)7)  G  IZ£mvlub.ue.i.ipjT;u  (9) 


Proof  of  3  is  by  sub-induction  on  n 
case:  n  =  0 

The  fixpoint  couldn't  have  returned.  We  only  need  to  show  that 
the  trace  satisfies  <p.  This  is  true  because  the  thread  executing 
the  fixpoint  is  silent, 
case:  n  =  k  +  1 


Assume  that  (k,fixf(x).cy)  G  1ZIF iNv\ub.ue.i.ip\T-,u  (1) 

To  show  (k  +  1,  fixf  (x).ey)  G  lZFiNv\ub.ue.i.p\T-,u 
Me,  ( k  +  1,  e)  G  IZ£iNv\ub.ue.i.p\T-,v. 

To  show  (k  +  1,  c  e)  G  IZCiNv\ub.ue.i.p\T-,u 
By  (1), 

(k,Xz.comp((fixf(x).cy)z))  G  TZ£iNv\ub.ue.i.p\T-,u  (2) 

By  I.H.  on  c  and  Lemma  5  and  6 

(fc,  c[A2.comp((f  ixf(x).cry)  z)/f][e/x]) 

G  TZCmv\ub.ue.i.ip\r-,u  (3) 

Assume  thread  t  executes  the  fixpoint, 
we  consider  the  following  time  intervals: 

(i) Before  the  fixpoint  is  unrolled, 

(ii)  the  body  of  the  fixpoint  is  evaluated, 

(iii)  the  fixpoint  returns  ei 
By  l  is  silent  in  (i) 

1 p  holds  in  (i)  (4) 

By  (3)  and  <p  is  composable, 
ip  holds  in  (ii)  and  (iii) 
and  (je,ei)  G  IZ£INvlub.ue.i.p\r-,nE 
where  ue  is  the  time  when  ei  is  returned 
and  je  is  the  length  of  T  from  ue  till  the  end  of  T  (5) 
By  (4)  and  (5) 

( k+  1,  fix/(x).C7)  G  UTmvlub.Ue.i.ipjr-.u 

□ 


F.  Properties  of  Interpretation  of  Types 

Lemma  9.  If  nf  Xx.e  or  AX.e  or  comp(c),  then  ( n,nf )  G 
^V(-L)[r]fl;T;u 

Proof  (sketch):  Case  on  r.  For  all  cases  except  when  r  =  X,  the 
conclusion  follows  from  the  definition  of  1ZV /wv[3>]r;u. 

When  r  =  A',  9(X)  G  Type.  By  the  definition  of  Type, 
every  C  G  Type  contains  all  stuck  terms  that  are  not  functions 
or  suspended  computations.  □ 

Lemma  10  (Substitution).  If  C  =  1ZV (f&)\Ti\e-,T-,u  then 

1.  ftV($)[Tj9p^C];T;U  =  W($)[r[ri/X]]fl;riu 

2.  n£($)lT\e[x»chT;u  =  ^f($)[r[ri/A]]e;r;u 

3.  TZCmvlelx^c],r,B  =  TlCmV[r1/X}je,r,B 

4.  =HAm<*[n/X]V,T;u 

Proof  (sketch):  By  induction  on  the  structure  of  r,  7,  ip  and  a.  □ 

Lemma  11  (Downward-closure). 

1.  If(k,  c)  G  -RC^)Me,T,sthenMj<k,  ( j,c )  G  7JC($)fo]fl,T,s 

2.  If  ftv(r)  C  dom((7),  MX  G  dom($),  9( X)  G  Type,  and 
( k,e )  G  XV{^)lr\g.T-.u,  then  Mj<k,  (j,e)  G  7 ?.V($)[r]e;r;«- 

3.  If  ftv(r)  C  dom((7),  MX  G  dom($),  9( X)  G  Type,  and 
( k,e )  G  7l5(T>)[r]s;r;u,  then  Mj<k,  (j,e)  G  TZ£(^)\t}9-,t-,u. 

Proof  (sketch):  By  examining  the  definitions.  Proofs  of  3  uses 
proofs  of  2  and  2  uses  1.  □ 

Lemma  12  (Substitutions  are  closed  under  index  reduction). 

If  ftv(T)  C  dom($),  MX  G  dom (9),  9(X)  G  Type,  (n,  7)  G 
UG(®)\r}e-,T-,u,  andj  <  n  then  (j,  7)  G  7^5(<l>)|^]S;r;«• 

Proof  ( sketch ):  By  induction  on  the  structure  of  T,  using  Lemma  1 1 . 

□ 

Lemma  13  (Validity  of  types),  //'ftv(r)  C  dom(6|)  and  MX  G 

dom((9),  9(X)  G  Type,  then  lZV($)\T\e-,T-,u  G  Type 

Proof  (sketch):  By  Lemmas  11.  □ 

Lemma  14  (Closed  under  delay). 

I.  If  ( k,e )  G  7\)V(<I?)[t]]  0-7-11  and  v!  >  u  then  (k,e)  G 
nV^)lr}e;T-y. 

2-  If  (k,  e)  G  H£($){Tje.,T;u  and  u'  >  u  then  ( k ,  e)  G 
n£^)\r}e;T;u'. 

Proof  (sketch):  By  examining  the  definitions  and  use  Lemma  6 

□ 

Lemma  15  (Substitutions  are  closed  under  delay).  If  (n,  7)  G 
7£‘?[r]e;T;it<I>  and  u'  >  u  then  (n,  7)  G 

Proof  (sketch):  By  induction  on  the  structure  of  T,  using  Lemma  14. 

□ 

G.  Soundness 

Theorem  16  (Soundness).  Assume  thatMA  ::  a  G  S,  Vd>,  T,  n,  it,  (n,  A ) 
then 

1.  (a)  •  £  ::  u  :  b;  0;  S;  T^;  T;  A  e  :  r, 

•  M9  G  7 ^T[e], 

•  v7l  g  n 

•  MU,  U',  U'  >  U.  leryu  =  [U/u], 

•  MT,  Mn,^,  (n;  7)  G  IZG(^)\P'/u'yL'\9-,T-,u’ , 

•  T  1=  Ayyu-yL 

implies  (n;  e 7)  G  IZ£ (<l>)[T77u7Z:']s;r;i/' 

(b)  •  £  ::  ui,  «2,  i;  0;  S;  TL;  T;  A  c  :  77, 

•  V  it,  ub,  ue,  t  s.t.  u  <  ub  <  ue,  let 71  =  [its,  us,  1/111,112,1 

•  V6»  G  7£T[0J, 

.  v7l  g  [r^], 

•  VT,  Vn, 7,  (n; 7)  G  7lC)(T>)[r7i7i:']e;r;U, 

•  T  1=  Ayyi-yb 

implies  (n;  07)  G  7^C($)[??77l7i]s;r;UB,uJi;,t 
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(c)  •  £  ::  u  :  b;  0;  E;  TL;  T;  A  hj.  c  :  7]c, 

•  ye  €  tzt i©], 

•  v7l  e  irLl 

•  Vt/,  U',U'  >  U,  leryu  =  [U/u], 

•  VT,  Vn,7,  (n;7)  6  ^($)ir7u7i]9.T;t/,; 

•  T  1=  A77u7l 

i'mp/tes  (n;  try)  €  7l.F($)|[»jc77,,7z']9;T;t7' 

(d)  •  £  ::  u  :  b;  0;  E;  I’1';  T;  A  h#  a  :  a, 

•  ye  €  tzt  I©], 

•  v7l  €  irLi 

•  yU,  U',U'  >  U,  let 'Yu  =  [U/u], 

•  VT,  Vn,7,  (n;  7)  €  TC/($)[r7„7i]9.r;t//, 

•  T  1=  A77u7l 

2.  w 

•  V0  €  TT[0], 

•  v7l  6 irLi 

•  Vt/,  U',U'  >  U,  lefyu  =  [U/u], 

•  VT,  VS,  Vn)7,  (n;7)  € 

•  T  1=  A77u7z' 

implies  (n;  e7)  €  Tf  (S)[r77u7i]();r;[// 

(7>)  •  £  ::  Mi,M2,*;0;E;rI';r;  A  h  c  :  p, 

•  V u,  u b,  ue,  ts.t.  u  <  ub  <  mb,  /ef7i  =  [mb,  mb, 

•  V<9  €  TT[0], 

•  V7l  €  [rL], 

•  VT,  VS,  Vn,7,  (n;7)  6^(S)[r7i7Ll9ir;«, 

•  T  1=  A77i71' 

implies  (n;cy)  G  TZC(<&) [?777i7z']e;r;uB,U£;,t 

(c)  •  f  ::  M  :  b;  0;  E;  rL;  T;  A  h  c  :  77c, 

•  V<9  €  TT[0], 

•  v7l  g  irL], 

•  Vt/,  U',U'>  U,  leryu  =  [U/u], 

•  VT,  VS,  Vn)7,  (n;7)  € 

•  T  1=  A77u7l 

implies  (n;  try)  €  K7($)[t)c77u7I]S;r;P- 

(d)  •  £  ::  m  :  b;  0;  E;  T;  A  h  a  :  a, 

•  V<9  6  TT[0], 

•  v7l  €  irL], 

•  Vt/,  U',U'  >  U,  let 'yu  =  [U/u], 

•  VT,  VS,  Vn,7,  (n;7)  €  TZQ{ *)\T'Y»'YL\9iT.u>. 

•  T\=  A77u7i 

implies  (n;  a7)  G  TVl(S)|a77u7i:']e;r;t// 

(e)  •  £  ::  Mi,  M2,  i;  0;  E;  TL;  T;  A  b  99  silent, 

•  V  m,  ub,  ue,  t  s.t.  u  <  mb  <  mb, 

•  Zef7i  =  [mb,  mb,  t/Mi,  M2,  i] 

•  V6»  G  TT[0], 

•  v7l  g  [rL], 

•  VS,  VT,  Vn,7,  (n;7)  G  T£?(<I>)[r7irL]9;T;U, 

•  jb  is  the  length  ofT  from  time  u b  to  the  end  ofT, 

•  je  is  the  length  ofT  from  time  ue  to  the  end  ofT, 

•  n>  jb>  je 

•  between  time  ub  and  time  ue,  thread  1  is  silent 

•  T  1=  A77i 
implies  T  1=  (yry7i) 

(jj  •  £  ::  0;S;rL;r;  A  h  true, 

•  ye  g  tzt  10], 

•  v7l  g  n 

•  VT,  VS,  Vn,7,  M,  (n;7)  G  TZS( 

•  T  1=  A-yb'y 
implies  T  N  <p71'7 


Proof.  By  induction  on  the  structure  of  £. 
Proof  of  l.(a). 


case:  Confine 

<p  is  trace  composable 

£'  ::  Mt,  Me,  i;  0;  E;  T  ,  m;  T;  A  h  ip  silent 

Mf,:b,  Me:b,  i:b  h  <p  ok  fa(e)  =  0  fv(e)  C  T 

confine  (r)  (ub-Ue-i-p)  confine  (F)  (ub-Ue-i-ip) 

- j - Confine 

m;  0;  E;  r  ;  T;  A  hu b.Ue.i.v  e  :  r 

By  assumptions 

e  g  tt[0],  vY  g  [rL], 

7u:  =  t//u,  t/'  >  t/,  T 1=  A 77u  Y 

and  (n;7)  G  Tf/(Mi,.Me.iy3)[r7u7z']](,.r.[//,  (1) 

By  Lemma  7  and  (1) 

and  (n;7)  G  T£,ivi/[[S]r;tB  (2) 

By  I.H.  on  £',  given  any  1,  ub,  and  mb, 
l  is  silent  between  mb  and  mb  implies 

T  1=  y5[MB,  mb,  t/Mb,  Me,  i]  (3) 

By  (1)  and  (3)  and  Lemma  8 

(n,  e7)  G  TZ£iNv\ubMe.i.p\r-,u'  (4) 

By  (4)  and  Lemma  7 

(n;e7)  G  T£(M6.Me.LY[I'r7uY]]e;T;t/'  (5) 

.  Proof  of  2. (a). 

I/Mi,M2,*J 

£'  ::  0;S;rL,M,r  h  n  ok 

m;  0;  E;  r1";  F,  x  :  n;  A  h  e  :  T2 

- j- -  E-Fun 

case:  m;  0;  E;  T  ;  F;  A  h  Ax.e  :  Llx:ri.r2 

By  assumptions 

e  g  tt[0],v7l  g  irLj, 
yu  =  U/u ,  U’>U,Ty  A77u7l 
and  (n;7)  G  TF/(S)[r7,j7i]e.r.t/s  (1) 

Given  j  <  k,  u"  >  t/7, 

and  (j,  e0)  G  ^£’(S)[n77,l7i]e;r;ll//  (2) 

By  Lemma  12  and  15 

(T7)e^(s)[r7u7i]e;r;V,  (3) 

By  (2)  and  (3) 

(j;7[x  i-t  e0])  G  Tf/(S)[[(r,x  :  ri)7„7I']9;r;„»,  (4) 

By  I.H.  on  £' 

(j,e7[x  i  t  eo[)  G  TZ£ (S)|r27u7'L7[x  eo]]«;r;u"  (5) 

By  (5)  is  derived  based  on  assumption  in  (2) 

(n,  Xx.e-y)  G  TV(S)[(nx:ri.r2)77u7i:']e;r;t/'  (6) 

By  (6) 

(n,  \x.e-y)  G  TZ£ (S)[(nx:ri.T2)77u7L]9;r;t/' 

£i  ::  m;  0;  E;  T;  A  h  ei  :  nx:ri.T2 

::  Mi^EirViAh  e2  :  n 
- V_ -  E.App 

case:  m;  0;  E;  T  ;  T;  A  h  ei  e2  :  T2[e2/x] 

By  assumptions 

e  G  TT[0],7l  g  [rL], 

7u  =  U/u,  U'>U,T\=  A77u7l 

and  (n;7)  G  TF/(S)[r7u7i]e.r.(//,  (1) 

By  I.H.  on  £2 

(n,  e27)  G  7££($)[Tl77„7i]fl;r;t7'  (2) 

By  I.H.  on  £\ 

(n,  ei7)  G  Tf(S)[(nx:ri.r2)77tl7'L]0;r;t/'  (3) 

Assume  (ei  e2)7  —Tp  nf  -v» 

By  (3), 

(ei  e2)7  nf  1  (e27), 

and  (n  -  m, nfi)  G  TV(S)[(nx:n.T2)77u7i]]e;r;[//  (4) 
We  consider  two  cases: 
subcase  1:  nf  1  =  Ax. el 
By  (4) 
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(n— m— l,ei[e27/®])  £  7££($)[[T277u7L[e27 /x]]e-,r-,u'  (5) 

By  (4)  and  (5) 

(n,  (eie2)7)  G  7lf($)[(r2[e2/*])77u7i]e;r1t/'  (6) 

subcase  2:  nf  i  ^  Xx.e'i 
By  Lemma  9 

(n  -  m,nfi(e27))  G  7?.V($)[r277u7L[e27/x]]e;T;C/'  (8) 
By  (8) 

(n,  (eie2)7)  £  7^$)[(T2[e2/a:])77u7ikT;t/'  (9) 

Proof  of  2.(c) 
case:  Fix 
Proof  of  2.(b) 
case:  SeqC 

£i  ::  Mo,  Mi,  i;  B;  S;  r1";  «3,  T;  A,  mo  <  mi  h  <^o  silent 
£2  ::  Mi,M2,*;B;S;rI',Mo  :  b,M3;T;  A, Mi  <  M2,7>o 
h  ci  :  X'.r.ipi 

£ 3  ::  M2,  M3,  v,  B;  E;  VL ,  Mo,  mi;  T,  x  :  r;  A,  ui  <  M3,  <po,  <£1 
h  C2  :  y.T.tfii 

£4  ■■  B;  E;  rL,  Mi,  M2,  Mo,  M3,  *;  T,  x:t,  y  :  r';  A 
h  (<po  A  pi  A  <p2)  =7  y?  true 
6;  E;  rL,  M0,  u3,i;  T,y  :  t'  \~  tp  ok 
fv(letc(ci,  X.C2))  C  dom(r) 

Mo,  M3,  i;  B;  E;  Fl;  T;  A  h  letc(ci,  X.C2)  :  y.r'.p 


(jm2,e0)  G  7££(<f>)[T7273]]e;T;um2  and 
T  1=  y5i7273[e0/a;]  (11) 

By  Lemma  12  and  jm2  <  n 

let  74  =  77L  [mb  ,  mb  ,  (,/mo  ,  M3 ,  i]  [Mmi ,  Mm2 /mi  ,  M2]  [eo/x] , 
(jm2,  gamma[e0 /x\) 

G  x:t )74)[Mm2,  mb,  <./m2,  m3,  i]]s;r;um2  d2) 

By  I.H.  on  £3,  (11),  (12) 

Om2,C27[e0/*])  G  ^C($)[(2/:r'.y52)74]e;r;Um2,«E,i  (13) 
By  (14) 

Oe,e)  G  ^£($)[r'74]s;r;UB  and 

T  N  1^274  [e/j/]  (14) 

By  I.H.  on  £4 

T  1=  (y>0  A  y2i7ey52[e/y])74  =7  <£74[e/y]  (15) 

T  N  y?74[e/y]  (16) 

By  (14)  (15) 

(n,  lete(ci, *.02)7)  G  KC($)l(y  :  t' ■p)'yL'rnjo-r-,uB,uE,L 

case:  SeqCComp 
Proof  of  2.(f) 
case:  Honest 

£4  ::  Mi,  m2,  t;  0;  E;  T  ,  •;  A  h  c  :  ip 
£2  ::  0;  S;  L^;  •;  A  h  start(7,  c,  m)  true 

B;  e  i-  rL,r  ok 

0;  E;  rL;  T;  A  h  Vu  :b.(u>u)  =7  y>[M,  m\  7/mi,  m2,  i]  true 


By  assumption 

Pick  time  points  u,  ilb,  ue  and  thread  id  1,  s.t.  u  <  mb  <  mb, 
let  71  =  [mb,mb,(-/mo,M3,*] 

Pick  any  trace  T,  such  that  T  1=  A7L77i 
<9  G  7^T[0],7^'  €  irL], 

(n;7)  GT^WPWkr;^,  d) 

the  length  of  the  trace  from  time  u b  to  the  end  of  T  is  jb 
the  length  of  the  trace  from  time  mb  to  the  end  of  T  is  je 
and  n>  jb>  je  (2) 

the  configuration  at  time  mb  is 


uB 


(Jb  >  •  •  •  ,  (i;y-c  ::  K;  lete(ei, £.02)7)  • 


the  configuration  at  time  u e  is 

-  ,  <t;  K\  c[e/y\)  •  •  • 

and  between  mb  and  mb  (inclusive),  the  stack  of  thread  t 
always  contains  prefix  y.c  ::  K 
By  the  operational  semantics 

exists  M Tn ] ,  Mm2,  S.t.  Mb <Mml  <Mm2 <Me 
the  configuration  at  time  Mmi  is 
22^  <rmi  t>  •  •  •  ,  X.C27  ::  y.c  ::  TV;  C17)  • 

the  configuration  at  time  Mm2  is 
22^  <7m2  >  . . .  ;  ((,;  y.c  ::  K;  c27[e0/a:]>  •  •  ■ 


(3) 


(4) 

(5) 

(6) 


By  (4) 

between  time  mb  and  Mmi,  thread  t  is  silent 
By  (1), 

T  t=  (A7L77i,  (m0  <  Mi)7i[Mmi/Mi[) 

By  (1) 

(7  ml,  7)  ^  7?.f/($)[r7I'[MB/M3][MB,Mml,(./Mo,Ml,i]]e;r;u 

By  I.H.  on  £1  and  (5),  (6)  and  (7) 

T  1=  <Po77'L7i[Mmi/Mi]  (8) 

Let  72  =  77i7i[Mmi/Mi] 

By  (1)  and  Lemma  15  and  u  <  Mmi 

O' ml ;  7)  £  TlGi®)  [r  [mb  ,  Mmi ,  Mm2 ,  Mb  ,  i/uo ,  Ml ,  M2 ,  M3 ,  *]] 
Let  73  =  [m  ml  5  Um2  5  bfUb ,  Me , ,)] , 

By  I.H.  on  £2  and  (6),  (8),  (9) 

(n,  C17)  G  7lC($)[(*:T.y5i)7273ls;r;umi;Um2;t  (10) 

By  (10), 

let  7m2  be  the  length  of  the  trace  from  time  um2  to  the  end  of  T 


By  assumptions 

e  g  7^r[0],7i  €  [rL], 

T  N  A 7L  (1) 

To  show  T  N9  (Vm'.(m'  >  m)  =7  (^[m,  u',  7/mi,  m2,  *])77i 

By  I.H.  on  £2 

T  l=e  start(7,  c,  m)7L  (2) 

By  (2) 

at  time  wyL ,  thread  I-yL  starts  to  evaluate  c  on  an  empty  stack,  (3) 
Given  any  time  U1  >  wyL,  and  k  such  that  the  length  of  T 
after  wyL  is  no  less  than  k 
By  I.H.  on  £1 

(k,  c)  G  TZC(^)lp^[wy,U' ,  Il/ui,U2,i]ie-T;u-,,u' .1-1  (4) 

because  c  starts  from  an  empty  stack, 

c  couldn't  have  returned  at  time  U' ,  (5) 

By  (4)  (5)  and  (1)  and  the  definition  of  1ZC, 


T\=e  [M7,  U\  I'i/ui,  U2,i] 

case:  VI 

£'  ::  0;  E;  T  ,  x  :  t;T;A  h  ip  true 
0;  E;  r1';  T;  A  h  Mx'.r.tp  true 
By  assumptions 

e  €  71T[0],  -yL  G  irLl  T  N  A^pyL 
and(n;7)  G7ie(-f>)|r7Lle;r;„, 
Given  any  e  such  that  e  G  [r] 

■yL[e/x\  G  [L1', x  :  r] 

By  I.H.  on  £' 

(7)  Tl=  (p7i[e/a:]7 
By  definitions 

T  N  (Vx:T.ip) 7i7 


e;T;umi  (9) 


(7) 


(1) 

(2) 

(3) 

□ 
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H.  Proof  of  State  Integrity  for  Memoir 

We  prove  the  correctness  of  a  TPM  based  state  continuity  mecha¬ 
nism  that  closely  follows  Memoir  [28], 

Figure  12  contains  our  model  for  the  Memoir  system. 

Abbreviations  and  Definitions 

Figure  13  summarizes  the  abbreviations  we  use. 

I  Abbreviations  I 


(p  A  ip)@u 

= 

(<p@u)  A  (^©u) 

(p  V 

= 

V  (^@u) 

(p  =>■  u 

= 

=>■  u ) 

(-K p)@U 

= 

~^(p©u) 

T  @u 

= 

T 

_L@u 

= 

_L 

(Wx.p)@u 

= 

Vx.  ( p@u ) 

( 3x.p)@u 

= 

3x.  ( p@u ) 

(p@u')@u 

= 

p@u' 

p  o  (111,112) 

=  Via. 

(ui  <  u  <  U2)  =>•  (p@u) 

P  0  (ui,  U2] 

=  Wu. 

(u\  <  u  <  U2)  =>■  (p@u) 

p  0  [1x1,  U2) 

=  Via. 

(u\  <  U  <  U2)  =>■  (p@u) 

P  0  [ui,  U2] 

=  Via. 

(ui  <  U  <  U2)  =>■  (p@u) 

Figure  13.  Abbreviations 


of  the  system.  At  a  high  level,  the  four  stages  of  the  proof  are  as 
follows: 

1.  PCR  Protection:  We  show  that  the  value  of  pcrl7  contains  a 
certain  measurement  h  only  during  late  launch  sessions  running 
MemoirLib  (runmodule). 

2.  NVRAM  Protection:  We  show  that  after  the  permissions  on  a 
location  in  the  NVRAM  has  been  set  to  h,  then  the  permissions 
on  that  location  is  never  changed. 

3.  Key  Secrecy:  We  show  that  if  the  key  corresponding  to  the  ser¬ 
vice  is  available  to  a  thread,  then  it  must  have  either  generated 
it  or  read  it  from  the  NVRAM. 

4.  History  Summary-State  Correspondence:  We  show  that  if  on 
any  two  executions  of  the  service,  if  the  history  summaries  are 
equal  then  the  states  must  also  be  equal. 

Finally,  from  these,  we  prove  the  overall  state  continuity  prop¬ 
erty  for  Memoir. 

PCR  Protection.  Consider  an  arbitrary  service  s.  Let  sjiash  = 
hash_chain(— 1,  code  Jiash(rimmodltle),  code _hash(s)).  We 
show  that  if  the  value  of  pcrl7  at  time  u  is  S-hash ,  then  it  must 
be  the  case  that  we  are  in  a  late  launch  session  at  time  u.  Formally, 
we  show  that, 


Axioms 

We  list  the  axioms  we  use  in  Figure  14. 


|  Definitions 

LL(uj ,U2,e,j)  =  LLenter(e,  j)@ tii  A  -ELexit(j)  o  [tii,  112) 

A  Ll_exit(y)@«2 

lnLLSess(u,  e,j)  =  3ui.(ui  <  u)  A  LLenter(e,y)@Ui 

A  -iLLexitQ')  o  [ui,  u) 
lnSomeLLSess(u,  e)  =  3j;.lnLLSess(ti,  e,  j) 

LLTh  read(y,  e)  =  3u.LLenter(e,  j)@u 

PCRPrefix(p,  sjiash )  =  3h.  val_pcr(pcrl7,  h)  A  hash_prefix(/i,  s_hash.) 
ExitsPCRProtected(i,  u,  S-hash)  =  LLexit(i)@u  => 

^PCRPrefix(pcrl7,  s_hash)@u 


Vtt.val_pcr(pcrl7,  S-hash)@u  =>  I nLLSess(u,  runmodule) 

(1) 

To  prove  1,  we  use  rely-guarantee  reasoning  in  the  style  of  [14], 
To  prove  an  invariant  <p(u),  using  rely  guarantee  reasoning,  it  is 
sufficient  to  show  for  a  choice  of  ip(i,  u)  and  i(i)  that 

(1)  p(-oo) 

(2)  Vi,  u.  (t(i)  A  Vt/  <  u.  <p(u'))  =>  ip{u,i) 

(v?(«i)  A  -><p(it2)  A  (til  <  U2 ))  => 

(3)  3 i,  113.  (tii  <  113  <  U2)  A  t(i)  A  ->ip( U3,  i)  A 

V«4  G  (til,  U3). 


Axioms 


(LLChain) 

(LLExit) 


(PCRInit) 

(LLHonest) 

(LLActl) 

(LLAct2) 


LLChain(hash_chain(— 1,  code _hash(e), ...),  e) 
\/s-hash,  U2,e 
LLChain(s_/ias/i,  e)  =>• 

A  val_pcr(pcrl7,  sMash)@U2 
A  ->lnLLSess(n2,  e)  =>■ 
w3. 

LLTh  ready,  e) 

A  LLexity)@ix3 
A  val_pcr(pcrl7,  h)@U3 
A  hash_prefix(/i,  sjiash) 

A  Vn4  E  (u\,  113). 

val_pcr(pcrl7,  s.hash)@u  =>  lnLLSess(u,  e) 
val_pcr(p,  0)@  —  00 

LLEnter(i,  e)@u  3e' .  start(— oo,  e  e' ,  i) 

Th  next  two  axiom  schemas  holds  for  any  action  a(i,t) 
a(i,t)@u  A  lnSomeLLSess(u,  e)  =>•  lnLLSess(u,  e,  i) 
a(i,t)@u  A  LLThread(i,  e)  =£>  lnLLSess(w,  e,  i) 


Figure  14.  Definitions  and  Model-specific  axioms  about  Late 
Launch 


We  choose  p,^  and  l  as  below: 

( p(u )  =  val_pcr(pcrl7,  sJiash)©u  =>■  InLLSess (u,  runmodule) 
ijj(i,u)  =  ExitsPCR Protected (i,u,  sJiash) 
i(i)  =  LLTh  read(i,  runmodule) 

Condition  (1)  follows  (PCRInit)  and  -ihash_prefix(0,  sJiash). 
Condition  (3)  follows  directly  from  axiom  (LLExit).  To  prove  con¬ 
ditions  (2)  above,  expanding  out  the  definitions  of  ip,  i  and  ip  above, 
we  need  to  show  that 


Vi,«.  (LLThread {i,  runmodule) 

A  Vt/  <  u.  (vaLpcr(pcrl7,  S-hash)@u 

=*-  lnLLSess(tt, runmodule) (u')) 

=>  ExitsPCRProtected(u, i) 

This  can  be  rewritten  as 

Vi.  ( L LT h rea d (i,  runmodule) 

A  Vu.  (Vi/  <  u.  (vaLpcr(pcrl7,  sJiash)@u' 
=>■  lnLLSess(t/,  runmodule)) 

=>  ExitsPCRProtected(u,  i)) 


(2) 


(3) 


H.l  Proof 

The  proof  proceeds  in  four  stages.  Each  step  employs  the  rely- 
guarantee  technique  to  prove  a  particular  invariant  about  executions 


Choose  an  arbitrary  thread*  such  that  LLTh  read  (i,  runmodule). 
Therefore,  we  have  by  (LLHonest)  that  for  some  e! , 
start(— oo,  runmodulee' ,  i).  To  use  rule  HONEST  to  show  (3),  we 
need  to  show  that. 
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1  runmodule  = 

2  let  snapshot  = 

3  A  {state,  summary,  skey). 

4  encstate  <—  act  (encrypt  skey  servicestate); 

5  auth  <—  act(mac  skey  ( encstate ,  freshnessJtag)); 

6  ret  {encstate,  freshnessJtag ,  auth) 

7 

8  let  check  snapshot  = 

9  A  {{encstate,  freshness -tag,  auth),  request,  history,  skey). 

10  act(verif yjnac  skey  auth); 

n  freshness-tag'  <—  act(hash  {freshnessJtag\  \request)); 

12  If  {freshness -tag  =  history  V  freshness-tag'  =  history,  act(dec  skey  encstate),  act  (abortQ)) 

13 

14  let  initialize  = 

15  A  {service,  Nloc). 

16  act(extend_pcr(pcrl7,  code-hash{service))); 

17  a.ct{verify_pcr{hash-chain{—l,  codehashfrunmodule) ,  codeJhash{service )))); 

18  skey  4—  act(gen_symkey()); 

19  let  historysummary  =  0 

20  act(setNVRAMlocPerms(Moc,  pcrl7)); 

21  act(NVRAMwrite(Moc,  {history summary ,  skey)); 

22  act((extend_pcr(pcrl7, 0)); 

23  servicestate  <—  {service  ExtendPCR  ResetPCR  •  •  • )  INIT; 

24  act(act(service_init(sfcey,  service,  servicestate,  Nloc))); 

25  snap  snapshot{servicestate,  historysummary,  skey); 

26  ret((),  snap) 

27 

28  let  execute  = 

29  A  {service,  Nloc,  snap,  req). 

30  act(extend_pcr(pcrl7,  codeJiash{service))); 

31  {skey ,  history  summary)  4—  act(NVRAMread  Nloc); 

32  servicestate  check  snap  shot  {snap,  request,  historysummary,  skey); 

33  neivsummary  «—  act(hash  (/Ms^o?'p_swn^marp||re(j,)); 

34  act(NVRAMwrite(Moc,  {new summary,  skey)); 

35  act(extend_pcr(pcrl7, 0)); 

36  act(service_try(sfcej/,  service,  servicestate,  Nloc)); 

37  {new  state,  resp)  {service  ExtendPCR  ResetPCR  ■  ■■)  (EXEC  {servicestate,  req)); 

38  snap  «—  snapshot{servicestate,  historysummary,  skey); 

39  act(act(service_invok e{skey,  service,  servicestate,  newstate,  Nloc))); 

40  ret  {resp,  snap) 

41 

42  A  {service,  Nloc,  call). 

43  {resp,  snap)  <—  (case  call  of 

44  INIT  =>  initialize{service,  Nloc ) 

45  |  EXEC(snap,  req)  =>  execute{service,  Nloc,  snap,  req)) 

46  act {send{response,  snap)); 

47  act(ll_exit()) 


Figure  12.  runmodule:  A  model  of  Memoir’s  state  isolation  mechanism 


b  runmodule  : 

II(s  :  any,  l  :  ptr,  snap  :  msg).  cmp(wf,,  u,  i. 

(f/ub  <  v!  <  u(vaLpcr(pcrl7,  S-hash)@u'  (4) 
=>  lnl_LSess(-u',  runmodule)) 

=>  ExitsPCRProtected(n,  i))) 

The  key  step  in  typing  runmodule  is  to  type  the  execution  of  s 
supplied  by  the  adversary  using  the  CONFINE  rule.  Essentially,  we 
need  to  show  that  the  service  cannot  exit  with  the  pcrl7  containing 
a  prefix  of  sJiash.  The  service  is  confined  to  the  actions  provided 
by  the  TPM  and  we  can  show  that  each  of  them  has  the  following 
invariant: 


/  :  cmp {ub,ue,i.  -iPCRPrefix(pcrl7,  S-hash)@Ub  => 

Vm  £  [ub,ue].  (I n LLSession {u,  runmodide,  i) 

=$■  -iPCRPrefix(pcrl7,  S-hash)@u) 

(5) 

Therefore,  we  can  give  s  the  same  type.  We  have  now  shown 
that  by  the  end  of  service,  the  late  launch  session  has  either  ter¬ 
minated  or  the  value  of  pcrl7  is  not  a  prefix  of  sJiash.  Using 
(LLAct2),  we  can  now  show  . 

NVRAM  Protection. 

Axioms 

We  want  to  show  that  the  permissions  on  the  NVRAM  are  always 
tied  to  the  value  of  per  17  being  s_hash: 
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Axioms 


Definitions 


(SetPerms)  SetNVPerms(i,  Nloc ,  p)@u  A  val_pcr(p,  h)@u 
=>  NVPerms(-/Vioc,  p,  h)@u 
( GetPerms )  (SetNVPerms(i,  Nloc,p')@ mV 

NVRead (i,  Nloc,  p')@uW 
NVWrite(i,  Nloc,  p')@ u) 

A  NVPerms(A7oc,p,  h.)@u  =>  val_pcr(p,  /i)@u 
(NV  Perms)  NVPerms (Nloc,p,  h)@ui  A  -'NVPerms(7V7oc,  p,  h)@u 2 

A  (mi  <  112) 

3u3,j.p',h'.  (mi  <  M3  <=  M2)  A  val_pcr(p',  h')@M3 
A  SetNVPerms(j,  Nloc,p')@ M3 
A  (p  /  p'  V  k  /  /l') 

A  VM4  £  (mi,  M3).  N  VPerms(  Nloc,  p,  h)@UA 


Figure  15.  Model-specific  axioms  about  NVRAM 


(SetNVPerms(i,  Nloc,  per  17)  A  val_pcr(pcrl7,  s_hash))@Ui 
=>  V(u  >  Ui).  l\IVPerms(AToc,  pcrl7,  s_hash)@u 

(6) 

Assume  that  for  some  time  point  m. 

SetNVPerms(i,  Nloc,  pcrl7)  A  vaLpcr(pcrl7,  S-hash))@m 

(7) 

We  now  need  to  show  that 

V(u  >  Ui)  =>  NVPerms(jVIoc,  pcrl7,  S-hash)@u 

Again,  we  prove  this  invariant  by  rely  guarantee  reasoning,  where 
we  choose  ip,  ip  and  1  to  be  the  following. 


ifi(u)  =  NVPerms(A7oc,  pcrl7,  s_h.ash)@u 
ip\u,i)  =  (SetNVPerms(i,  Nloc,  p) 

=>  (p  =  pcrl7)  A  vaLpcr(pcrl7,  sJiash))@ u 
u(i)  =  LLThread(i,  runmodule) 

Expanding  condition  (1),  we  need  to  show  the  following 

NVPerms(Moc,  pcrl7,  s_hash)@Ui 

This  holds  by  Axiom  (SetPerms)  and  7. 

Expanding  condition  (2),  choose  i  such  that  LLTh  read  ( i ,  runmodule) 
We  need  to  show  that  Vu  >  Ui.(Vu'  £  ( m ,  u).  rp(u'))  =(-  ip(i,  u) 

h  runmodule  : 

II(s  :  any,!  :  ptr,  snap  :  msg).  emp  (iib,ue,i. 

Vu  £  ( Ub ,  UejVti'  £  [ui,  u). 

NVPerms(7Vloc,  pcrl7,  S-hash)@u'  => 
SetNVPerms(i,  Nloc,p)@u  => 

(p  =  pcrl7)  A  val_pcr(pcrl7,  S-hash)@u 

(8) 

Again,  the  key  step  in  typing  runmodule  is  to  type  the  execu¬ 
tion  of  s  supplied  by  the  adversary  using  the  CONFINE  rule.  Essen¬ 
tially,  we  show  that  the  service  is  not  allowed  to  set  the  permissions 
of  the  Nloc  at  all. 


/  :  cmp(tij,,  ue,  i.  -iPCRPrefix(pcrl7,  sJiash)@Ub  => 

Vu  £  [ub,ue]-  (lnLLSession(«,  runmodule,  i) 

=>  Vp.  -iSetl\lVRAMPerms(i,  Nloc,p)@u) 

(9) 

Condition  (3)  follows  from  (NVPerms),  (GetPerms)  and  1. 

In  particular,  we  can  show  from  6  and  (GetPerms). 

(SetNVPerms(i,  Nloc,  per  17)  A  vaLpcr(pcrl7,  sJiash))@Ui 
=V  V(u  >  Ui).  ReadNV(7,  Nloc)@u 

=>  vaLpcr(pcrl7,  S-hash)@u 

(10) 

And  by  1 


NVContains(A7oe,  s)  =  3m.Contains(m,  s)  A  val_NV(m,  s) 

Private(s,  Nloc,  u)  =  Vu'  <  u.(Send(i,m)@u  =>  -’Contains(»ra,  s) 

A  VNloc'  .(NVConta\ns(Nloc,  s)@u'  =>  [Nloc'  =  Nloc)) 
KeepsPrivate(i,  s,  Nloc)  =  Send(i,m)  =F  -■Contains(m,  s) 

A  VAr!oc'.(WriteNV(Ar!oc',  m)  A  Contains(»n,  s) 
=>  Nloc  =  Nloc') 

NewlnLL(s,e)  =  New(i,s)@u=>  lnLLSess(M,  e,  i) 


Axioms 


(Shared) 


(POS) 


(Privatelnit) 

(New3) 

(Init) 


LLChain(h,  e)A 
NewlnLL(s,  e)A 

Vm  >  Mi.NVPerms(AToc,  pcrl7,  h)  =$> 

Vmi,  M2  S  (Mi,  00] 

Private(s,  Nloc,  Mi)  A  ^Private(s,  Nloc,  M2)  => 

3i,  M3. (mi  <  M3  <=  M2) 

(LLThread(i,  e) 

— 'KeepsPrivatefi,  s,  Nloc)@us)/\ 

Vm  £  (mi  ,  M3)Private(s,  I\ ,  u)) 

(Private(s,  Nloc,  u)  A  Has(i,  s)@u  => 

(3m'. (m'  <  m)  A  New(i,  s)@m')V 

(3m'. (m'  <  m)  A  Readl\IV(i,  Nloc,  m)@u'  A  Contains(m,  s)) 
New(s)@M  =>  Private(s,  Nloc,  u) 

New(i,  n)@u  A  New(i',  n)@u'  =t>  (i  =  i')  A  (m  =  u ') 
Assumption  about  about  serviceJnit 
service_init(i,  skey,  service,  state,  Nloc)@Ui  => 

3m. (m  <  Ui)  A  Start(i,  runmodule  service  Nloc  INIT)@m 


Figure  16.  Definitions  and  Model-specific  axioms  about  Secrecy 


(SetNVPerms(i,  Nloc,  pcrl7)  A  val_pcr(pcrl7,  s_hash))@Ui 
=(•  V(u  >  Ui)  ReadNV(J,  Nloc)@u 

=V  lnSomeLLSess(«, runmodule) 

(11) 

Therefore,  by  (LLAct),  we  have  that 


■  (SetNVPerms(i,  Nloc,  pcrl7)  A  val_pcr(pcrl7,  S-hash))@Ui 
=>  VI,  (u  >  m)  =>  Read NV(/,  Nloc)@u 
=t>  lnLLSess(ti,  runmodule,  I) 

(12) 

This  means  that  whenever,  a  thread  i  reads  from  the  Nloc  at 
time  u,  it  must  be  the  case  that  i  is  in  a  late  launch  session  running 
runmodule  at  time  u. 

Key  Secrecy.  We  now  show  that  after  initialization,  if  any  thread  j 
has  the  key  corresponding  to  the  service,  then  that  thread  must  have 
read  it  front  Nloc  or  the  thread  is  the  initialization  thread  itself. 


Vi,  Ui,  state,  skey,  Nloc 

service_init(i,  skey,  state,  Nloc)@Ui  =v 
Vj,  u  >  Mi.Has(j,  skey)@ u  =>  (j  =  i)V  (13) 

3u',m.(ui  <  u!  <  u)  A  Readl\IV(jf,  Nloc,  m)@u' 

A  Contains(m,  skey) 

Fix  7),  Ui,  skey,  service,  Nloc. 

Assume  service_init(/i,  skey,  service,  state,  Nloc)@Ui  By  (Init) 
and  (HON),  we  have 

We  assume  that  service  has  the  following  type: 


( service  ExtendPCR  ResetPCR  •  •  • )  :  Hi  :  msg.  cmp(ub,  ue,i. 
(x  :  msg.-nContains)*,  s)  =>  -iContains(a:,  s), 

KeepsSecret(i,  skey,  Nloc)  o  ue])) 

(14) 
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3mi,  U2,  U3.(ui  <U2<UZ<UA<  Ui) 

VerifyPCR(pcrl7,  sJiash)@ui 
New(sfcej/)@M2A 

SetNVPerms(/i,  Nloc,  pcrl7)@U3A 
NVWrite(7i,  Nloc,  ( skey ,  h))@u 4A 
-iSetNVPerms(/;,  Nloc,p)  o  (u3,Ui]A 
-i(Extend(/i,pcrl7,i)||Reset(/i,pcrl7))  o  (mi,m3] 
-iSend(/i,  m)  o  (ui,itij 

(15) 

We  prove  this  by  another  rely-guarantee  proof,  very  similar  to 
the  proof  of  Kerberos  in  [14]: 

<f>(u)  =  Privat e(skey,  Nloc,  u) 
ip(i,u)  =  KeepsPrivate(i,  skey,  Nloc)@u 
I(i)  =  LLThread(i,  runmodule) 

Condition  (1)  holds  From  (15)  and  (LLAct) 

To  prove  condition  (2)  we  again  use  the  HONEST  rule.  However, 
the  property  required  cannot  be  derived  CONFINE.  We  assume  that 
the 

The  key  step  here  is  the  typing  of  the  execution  of  s 

( s  ExtendPCR  ResetPCR  ■  ■  ■ )  (E1EC(servicestate,req)) 

Here,  we  use  the  Eq  rule  As  we  know  that  s  =  service,  from  (14) 
we  can  assign 

(s  ExtendPCR  ResetPCR  •  •  • )  :  Hi  :  msg.  cmp(Mb,  ue,  i. 

(. x  :  msg.-iContains(i,  s)  =$•  -iContains(a:,  s), 

KeepsSecret(i,  skey,  Nloc)  o  [ub,  Me])) 

(16) 

Condition  (3)  Follows  from  (Shared),  and  (12). 

State  to  History  Summary  Correspondence.  We  state  without 
proof  an  invariant  that  the  history  summary  has  a  one-to-one  cor¬ 
respondence  with  the  state.  This  is  proved  through  an  induction  on 
the  history  summary. 

Vi,  Ui,  state,  skey,  Nloc 

service_init(i,  skey,  state,  Nloc,  ....)@UiA  => 

Mh,  state,  state',  j,  j’u,  v! .u  >  Ui  A  u'  >  Ui  => 
mac(jf,  skey,  (state,  h))@u  A  mac(j',  skey,  (state' ,  h))@u' 
(state  =  state') 

(17) 

State  Continuity  The  high  level  property  we  prove  about  Memoir 
is  as  follows: 


Mui,  state,  state' ,  skey,  iinit,  Si„u 

serviced nit(ii„it,  skey,  service,  Sinit)@Ui  => 

Vh  >  Ui.  servicednvoke(i,  skey,  state,  state')@u  => 

3j,  u'  <  u.  ((3s.serviceJnvoke(j,  skey,  s,  state)@u' 

V  service_try(j,  skey,  state)@u' 

V  servicednit(j,  skey,  state)@u ') 

A  (V/.  -iservicednvoke^'',  skey,  ■  ■  ■)  o  (u' ,  m])) 

(18) 

Fix  an  i,  m,  state,  skey. 

Assume  servicednit(iin;t,  skey,  service,  Sinit)@Ui 

For  some  u>  Ui  assume  that  servicednvoke(i,  skey,  state,  state'). 

Therefore  we  have  Has(jf,  skey)@u.  By  (13)  we  have  that  one 
of  the  two  hold 


•  Case  i  =  j: 

We  have  from  (Init)  and  servicednit (i,  skey ,  service,  Sinit) 
that 

3m. (m  <  Ui)  A  Start(i,  runmodule  service  Nloc  INIT)@m 

With  HONEST,  we  can  show  that  servicednvoke  does  not  occur 
on  i  and  we  have  a  contradiction. 

•  Case  3m'  £  (ui,  u). ReadNV(ji,  Nloc,  m)@M,AContains(m,  skey) 
In  this  case,  by  (12)  We  have  that  LLThread(y,  runmodule) 
Therefore,  by  HONEST 

Read  NVRAM  (j,  (Nloc,  h))@u’ 

By  (NVRAMRead),  we  have  that  3m"  <  u  such  that 

WriteNV(y",  Nloc,  m)@u"A 
Mj" .  -i\NnteN\/(j" .Nloc,  m')  o  (u'',u'] 

Again,  by  (12):  we  have  that 

LLThread^",  runmodule) 

WriteNV(j',  Nloc,  (skey,  h))@u" 

And  by  HONEST,  we  can  derive  that 

mac(j',  skey,  (E N Cskey (state' ,  h)) 

Also,  we  have  two  cases  from  20  and  HONEST  from  the  branch 
at  Line  12  of  runmodule : 

■  Case  1 : 

verifyMAC(y,  skey,  (EN Cskey (state),  h )  (25) 

From  25  and  (MAC),  we  have 

mac  (j",  skey,  (ENCskey  (state),  h))  (26) 

By  (17)  on  (25)  and  (28),  we  have  state'  =  state  We  then 
have  from  (24) 

serviceJnvoke(i7,)  skey,  s' ,  state)@u' 

Vservice_init(y",  skey,  service,  state)@u' 

Also,  from  ,  we  have  that  Vj" .  -iservicednvoke(y",  •  •  • ). 

■  Case  2: 

verify MAC(j,  skey,  (ENCskey (state),  h!)  A  h  —  H(req\\h') 

(28) 

This  case  proceeds  similarly  to  the  previous. 


(20) 

(21) 

(22) 

(23) 

(24) 


i  =  jV 

3m'. Mi  <  u'  <  M.ReadNV(y,  Nloc,  m)@u'  A  Contains(m,  skey) 

(19) 

We  analyze  each  case: 
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